AUTHENTICATED 
US. GOVERNMENT 
INFORMATION ^ 


PRIVACY IN THE HANDS OF THE GOVERNMENT: 
THE PRIVACY OFHCER FOR THE DEPARTMENT 
OF HOMELAND SECURITY AND THE PRIVACY 
OFHCER FOR THE DEPARTMENT OF JUSTICE 


HEARING 

BEFORE THE 

SUBCOMMITTEE ON 

COMMERCL\L AND i\DMINISTRATD^ LAW 

OF THE 

COMMITTEE ON THE JUDICIARY 
HOUSE OF REPRESENTATDH]S 

ONE HUNDRED NINTH CONGRESS 

SECOND SESSION 


MAY 17, 2006 


Serial No. 109-155 


Printed for the use of the Committee on the Judiciary 



Available via the World Wide Web: http://judiciary.house.gov 


U.S. GOVERNMENT PRINTING OFFICE 
27-606 PDF WASHINGTON : 2006 


For sale by the Superintendent of Documents, U.S. Government Printing Office 
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 


COMMITTEE ON THE JUDICIARY 


F. JAMES SENSENBRENNER, jR., Wisconsin, Chairman 
HENRY J. HYDE, Illinois 
HOWARD COBLE, North Carolina 
LAMAR SMITH, Texas 


ELTON GALLEGLY, California 
BOB GOODLATTE, Virginia 
STEVE CHABOT, Ohio 
DANIEL E. LUNGREN, California 
WILLIAM L. JENKINS, Tennessee 
CHRIS CANNON, Utah 
SPENCER BACHUS, Alabama 
BOB INGLIS, South Carolina 
JOHN N. HOSTETTLER, Indiana 
MARK GREEN, Wisconsin 
RIC KELLER, Florida 
DARRELL ISSA, California 
JEFF FLAKE, Arizona 
MIKE PENCE, Indiana 
J. RANDY FORBES, Virginia 
STEVE KING, Iowa 
TOM FEENEY, Florida 
TRENT FRANKS, Arizona 
LOUIE GOHMERT, Texas 


JOHN CONYERS, Je., Michigan 
HOWARD L. BERMAN, California 
RICK BOUCHER, Virginia 
JERROLD NADLER, New York 
ROBERT C. SCOTT, Virginia 
MELVIN L. WATT, North Carolina 
ZOE LOFGREN, California 
SHEILA JACKSON LEE, Texas 
MAXINE WATERS, California 
MARTIN T. MEEHAN, Massachusetts 
WILLIAM D. DELAHUNT, Massachusetts 
ROBERT WEXLER, Florida 
ANTHONY D. WEINER, New York 
ADAM B. SCHIFF, California 
LINDA T. SANCHEZ, California 
CHRIS VAN HOLLEN, Maryland 
DEBBIE WASSERMAN SCHULTZ, Florida 


Philip G. Kiko, Chief of Staff-General Counsel 
Perry H. Apelbaum, Minority Chief Counsel 


Subcommittee on Commercial and Administrative Law 


CHRIS CANNON, Utah Chairman 


HOWARD COBLE, North Carolina 
TRENT FRANKS, Arizona 
STEVE CHABOT, Ohio 
MARK GREEN, Wisconsin 
J. RANDY FORBES, Virginia 
LOUIE GOHMERT, Texas 


MELVIN L. WATT, North Carolina 
WILLIAM D. DELAHUNT, Massachusetts 
CHRIS VAN HOLLEN, Maryland 
JERROLD NADLER, New York 
DEBBIE WASSERMAN SCHULTZ, Florida 


Raymond V. Smietanka, Chief Counsel 
Susan A. Jensen, Counsel 
Brenda Hankins, Counsel 
Mike Lenn, Full Committee Counsel 
Stephanie Moore, Minority Counsel 


(H) 



CONTENTS 


MAY 17, 2006 
OPENING STATEMENT 

Page 

The Honorable Chris Cannon, a Representative in Congress from the State 
of Utah, and Chairman, Subcommittee on Commercial and Administrative 

Law 1 

The Honorable Melvin L. Watt, a Representative in Congress from the State 
of North Carolina, and Ranking Member, Subcommittee on Commercial 
and Administrative Law 6 

WITNESSES 

Ms. Maureen Cooney, Acting Chief Privacy Officer, U.S. Department of Home- 
land Security, Washington, DC 

Oral Testimony 9 

Prepared Statement 11 

Ms. Jane C. Horvath, Chief Privacy and Civil Liberties Officer, U.S. Depart- 
ment of Justice, Washington, DC 

Oral Testimony 15 

Prepared Statement 17 

Ms. Sally Katzen, Professor, George Mason University Law School, Arlington, 

VA 

Oral Testimony 25 

Prepared Statement 26 

Ms. Linda D. Koontz, Director, Information Management Issues, U.S. Govern- 
ment Accountability Office, Washington, DC 

Oral Testimony 31 

Prepared Statement 33 

LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING 

Prepared Statement of the Honorable Chris Cannon, a Representative in 
Congress from the State of Utah, and Chairman, Subcommittee on Com- 
mercial and Administrative Law 2 

Prepared Statement of the Honorable Melvin L. Watt, a Representative in 
Congress from the State of North Carolina, and Ranking Member, Sub- 
committee on Commercial and Administrative Law 4 

APPENDIX 

Material Submitted for the Hearing Record 

Response to Post-Hearing Questions from Maureen Cooney, Acting Chief 
Privacy Officer, U.S. Department of Homeland Security, Washington, DC .... 64 

Response to Post-Hearing Questions from Sally Katzen, Professor, George 

Mason University Law School, Arlington, VA 68 

Response to Post-Hearing Questions from Linda D. Koontz, Director, Informa- 
tion Management Issues, U.S. Government Accountability Office, Wash- 
ington, DC 70 


(III) 




PRIVACY IN THE HANDS OF THE GOVERN- 
MENT: THE PRIVACY OFFICER FOR THE DE- 
PARTMENT OF HOMELAND SECURITY AND 
THE PRIVACY OFFICER FOR THE DEPART- 
MENT OF JUSTICE 


WEDNESDAY, MAY 17, 2006 

House of Representatives, 

Subcommittee on Commercial 
AND Administrative Law, 
Committee on the Judiciary, 

Washington, DC. 

The Subcommittee met, pursuant to notice, at 2:06 p.m., in Room 
2141, Rayburn House Office Building, the Honorable Chris Cannon 
(Chairman of the Subcommittee) presiding. 

Mr. Cannon. The Subcommittee will please come to order. 

At the outset I want to note that immediately following the hear- 
ing, we have scheduled the markup of H.R. 2840, the “Federal 
Agency Protection of Privacy Act.” 

Let me begin this hearing with an observation written in 1787 
by Alexander Hamilton, one of our Founding Fathers, and one of 
the more interesting of them. He wrote: “Safety from external dan- 
ger is the most powerful director of national conduct. Even the ar- 
dent love of liberty will, after a time, give way to its dictates. The 
violent destruction of life and property incident to war, the con- 
tinual effort and alarm attendant on a state of continual danger, 
will compel nations the most attached to liberty to resort for repose 
and security to institutions which have a tendency to destroy their 
civil and political rights. To be more safe, they at length become 
willing to run the risk of being less free.” 

Mr. Hamilton’s comments are as insightful today as they were 
when he wrote them more than two centuries ago. 

In this post- 9/11 world, it is no easy task to balance the com- 
peting goals of keeping our Nation secure while at the same time 
protecting the privacy rights of our Nation’s citizens. 

As many of you know, the protection of personal information in 
the hands of the Federal Government has long been a top priority 
for my Subcommittee, the Subcommittee on Commercial and Ad- 
ministrative Law. Under the leadership of House Judiciary Com- 
mittee Chairman Sensenbrenner, our Subcommittee has played a 
major role in protecting personal privacy and civil liberties. 

Our accomplishments to date include the establishment of the 
first statutorily created privacy office in a Federal agency, namely, 
the Department of Homeland Security. That office has since earned 

( 1 ) 



2 


plaudits from both the private and public sectors, including the 
GAO. 

Just this week, the DHS Privacy Office submitted to Congress a 
comprehensive assessment of the impact of automatic selectee and 
so-called no-fly lists for airline passengers on privacy and civil lib- 
erties. While these lists can be useful tools for preventing terrorist 
activity endangering the safety of airline passengers and others, 
the collection of personal information to create these tools could 
raise concerns about their impact on privacy and civil liberties. I 
think we will be interested to hear Ms. Cooney’s summary of this 
report as part of today’s hearing. 

Inspired by the successes of the DHS Privacy Office, our Sub- 
committee also spearheaded the creation of a similar function in 
the Justice Department, which was signed into law in January of 
this year. Ms. Horvath, another of our witnesses, was appointed to 
fill this important position on February 21. We also look forward 
to hearing from Ms. Horvath about her views and goals as the 
Chief Privacy and Civil Liberties Officer for the Justice Depart- 
ment. 

To supplement these efforts, our Subcommittee has also con- 
ducted oversight hearings on the subject of the Government’s use 
of personal information. These include a hearing held on the 9/11 
Commission’s privacy-related recommendations as well as a hear- 
ing held just last month on the respective roles that the Federal 
Government and information resellers have with respect to per- 
sonal information collected in commercial databases. 

As technological devices increasingly facilitate the collection, use, 
and dissemination of personally identifiable information, the poten- 
tial for misuse of such information escalates. Five years ago, the 
GAO warned: “Our Nation has an increasing ability to accumulate, 
store, retrieve, cross-reference, analyze, and link vast numbers of 
electronic records in an ever faster and more cost-efficient manner. 
These advances bring substantial Federal information benefits as 
well as increasing responsibilities and concerns.” 

Unfortunately, the GAO continues to find, as we learned from 
our hearing last month, that Federal agencies’ compliance with the 
Privacy Act and other requirements is, to quote, “uneven.” 

It is against this complex but exceedingly interesting backdrop 
that we are holding this hearing today. 

I now turn to my colleague, Mr. Watt, the Ranking Member of 
the Subcommittee, and ask him if he has any opening remarks. 
But before I recognize him, I just want to say that we appreciate 
working with Mr. Watt on these issues. He has been a — this Com- 
mittee has worked well together, and he has been a great support 
and addition. And with that, Mr. Watt, I recognize you for an open- 
ing statement for 5 minutes. 

[The prepared statement of Mr. Cannon follows:] 

Prepared Statement of the Honorable Chris Cannon, a Representative in 

Congress from the State of Utah, and Chairman, Subcommittee on Com- 
mercial and Administrative Law 

Let me begin this hearing with an observation written in 1787 by Alexander 
Hamilton, one of our Founding Fathers. He wrote: 

“Safety from external danger is the most powerful director of national conduct. 

Even the ardent love of liberty will, after a time, give way to its dictates. The 



3 


violent destruction of life and property incident to war, the continual effort and 
alarm attendant on a state of continual danger, will compel nations the most 
attached to liberty to resort for repose and security to institutions which have 
a tendency to destroy their civil and political rights. To he more safe, they at 
length become willing to run the risk of being less free.” 

Mr. Hamilton’s comments are as insightful today as they were when he wrote 
them more than two centuries ago. 

In this post-September 11th world, it is no easy task to balance the competing 
goals of keeping our nation secure while at the same time protecting the privacy 
rights of our nation’s citizens. 

As many of you know, the protection of personal information in the hands of the 
federal government has long been a top priority for my Subcommittee — the Sub- 
committee on Commercial and Administrative Law. Under the leadership of House 
Judiciary Committee Chairman Sensenbrenner, our Subcommittee has played a 
major role in protecting personal privacy and civil liberties. 

Our accomplishments to date include the establishment of the first statutorily-cre- 
ated privacy office in a federal agency, namely the Department of Homeland Secu- 
rity. That office has since earned plaudits from both the private and public sectors, 
including the GAO. 

Just this week, the DHS Privacy Office submitted to Congress a comprehensive 
assessment of the impact of automatic selectee and so-called “no-fly” lists for airline 
passengers on privacy and civil liberties. While these lists can be useful tools for 
preventing terrorist activity endangering the safety of airline passengers and others, 
the collection of personal information to create these tools could raise concerns about 
their impact on privacy and civil liberties. I think we will be very interested to hear 
Ms. Cooney’s summary of this report as part of today’s hearing. 

Inspired by the successes of the DHS Privacy Office, our Subcommittee also spear- 
headed the creation of a similar function in the Justice Department, which was 
signed into law in January of this year. Ms. Horvath, another of our witnesses, was 
appointed to fill this important position on February 21st. We also look forward to 
hearing from Ms. Horvath about her views and goals as the Chief Privacy and Civil 
Liberties Officer for the Justice Department. 

To supplement these efforts, our Subcommittee has also conducted oversight hear- 
ings on the subject of the government’s use of personal information. These include 
a hearing held on the 9/11 Commission’s privacy-related recommendations as well 
as a hearing held just last month on the respective roles that the federal govern- 
ment and information resellers have with respect to personal information collected 
in commercial databases. 

As technological developments increasingly facilitate the collection, use, and dis- 
semination of personally identifiable information, the potential for misuse of such 
information escalates. Five years ago, the GAO warned: 

“Our nation has an increasing ability to accumulate, store, retrieve, cross-ref- 
erence, analyze, and link vast numbers of electronic records in an ever faster 
and more cost-efficient manner. These advances bring substantial federal infor- 
mation benefits as well as increasing responsibilities and concerns.” 

Unfortunately, the GAO continues to find — as we learned from our hearing last 
month — that federal agencies’ compliance with the Privacy Act and other require- 
ments is “uneven.” 

It is against this complex, but exceedingly interesting backdrop that we are hold- 
ing this hearing today. 

Mr. Watt. Thank you, Mr. Chairman, and I am going to ask that 
my civil written statement he put in the record. 

Mr. Cannon. Without objection, so ordered. 

[The prepared statement of Mr. Watt follows:] 



4 


Prepared Statement of the Honorable Melvin L. Watt, a Representative in 
Congress from the State of North Carolina, and Ranking Member, Sub- 
committee on Commercial and Administrative Law 

STATEMENT OF REP. MELVIN L. WATT 

Ranking Member, House Judiciary Subcommittee on Commercial and Administrative Law 

Hearing on “Privacy in the Hands of the Government: The Privacy Officer for the 
Department of Homeland Security and the Privacy Officer for the Department of Justice; 

Markup, H.R. 2840, the “Federal Agency Protection of Privacy Act of 2005” 

May 17, 2006 

2141 Rayburn House Office Building 

Thank you, Mr. Chairman, and thank you for convening this very important 
hearing. 

The privacy issues that confront our country as a result of extraordinary 
technological advances are significant. The ramification of how we treat the 
privacy of personally identifiable information is heightened in a post 9/1 1 world. 

As a Member of both the Financial Services and Judiciary Committees, I have 
heard testimony from numerous witnesses on the enhanced concerns with the 
government’s acquisition, maintenance and dissemination of personal information 
and the opportunities for identity theft and other abuse and misuse of personal 
details created by the massive data-mining of this information. 

One of the main recommendations of the 9/1 1 Commission was the 
establishment of a government wide watchdog to safeguard civil liberties. The 
Commission found that currently “there is no office within the government whose 
job it is to look across the government at the actions we are taking to protect 
ourselves to ensure that liberty concerns are appropriately considered.” I believed 



5 


then, and I continue to believe that a strong Privacy and Civil Liberties Oversight 
Board -with appropriate subpoena power- is essential to the preservation of the 
rights of American citizens to some level of personal privacy. 

A weaker version of the Privacy Oversight Board was established and I 
understand the Members of the board have been empaneled. With the creation of 
this Board, the question arises about how the procedures mandated by the H.R. 
2840 (which we will mark-up following this hearing, and on which I was an 
original co-sponsor 2 terms ago) will complement, duplicate or undermine the 
work of the Board. Does H.R. 2840 impose an additional layer of process on 
overburdened agencies? Will the bill be effective in reaching its intended results 
or give the false appearance to the American public that every measure is being 
taken prevent government abuse of personal information obtained from whatever 
source. 

I am happy to see some of our witnesses back with us today. I am looking 
forward to your expertise on what I believe to the shared goal of preserving a 
sphere of individual privacy while permitting the government the opportunity to 
do its job. I look forward to your testimony. 



6 


Mr. Watt. Thank you, sir, and then I’m going to stray to make 
some less civil remarks, so you might have bragged too early be- 
cause I’m feeling a sense of frustration here. 

I’m reflecting back to a point several terms ago when eyebrows 
were raised by the fact that Representative Bob Barr, one of the, 
quote-unquote, more conservative Members of this Committee, and 
Representative Mel Watt, quote-unquote, one of the more liberal 
Members of this Committee, met out here in front of the Capitol 
and had a press conference about a bill that is this bill. 

Well, we marked it up, and Mr. Barr is now gone on into the pri- 
vate sector. The year after he left, we marked it up again. And, you 
know, at some point we’re going to have to do something on this 
issue more than mark up this bill in the Subcommittee if we are 
going to begin to be serious about doing what we need to do, it 
seems to me. 

And so it is from that that I am feeling this great sense of frus- 
tration that I am beginning to get the feeling that any time some 
of my colleagues want to feel like they want to say publicly that 
they are doing oversight over our Government or interested in pro- 
tecting privacy rights, the way to do that is to put this bill back 
on for another hearing and another markup, and then next term 
of Congress we’ll be back doing the same thing over and over again 
as we now have been doing — what? — two or three, maybe — I don’t 
know how many terms of Congress we’ve marked this bill up and 
had hearings on it. 

So if I’m feeling a little frustrated, it’s not because I don’t think 
this is something important. It is more important today than it was 
when we started three or four terms of Congress ago. 

Yeah, we thought the Government was doing some things to in- 
vade the privacy rights of individuals, but we certainly — our Gov- 
ernment wasn’t getting a list of everybody’s phone numbers and 
monitoring phone calls within the United States. So this has gone 
to a level that is so far beyond what we anticipated or thought 
about or thought we were addressing at the time we originally in- 
troduced this bill. And yet here we are having another hearing, 
marking up the bill in our Subcommittee, and so I guess maybe I 
should make a commitment not to be back here next term of Con- 
gress doing the same thing that we’ve done now several times. Un- 
less we are going to be serious about pushing this legislation and 
getting it considered in the full Committee in the House, in the 
Senate, this may be just another show that some of our Members 
think is time to make another public demonstration that we are 
concerned about the privacy rights of our citizens and the possi- 
bility that the Government — the probability — the reality that the 
Government is way over there beyond where they ought to be on 
invading those privacy rights. 

So I will — I’ve put my civilized statement in the record, Mr. 
Chairman. I’ve made my uncivilized statement. But believe me. I’m 
just frustrated about where we are on this issue because we’ve had 
hearing after hearing, we’ve had markup after markup, but we still 
don’t have any real results to show for it. 

So, with that, I yield back. 



7 


Mr. Cannon. The record of this hearing should reflect the Chair- 
man’s view that even when Mr. Watt intends to be uncivil, he is 
an awfully civil human being. 

I hope that the gentleman is not suggesting that there is any 
lack of commitment on my part to this bill, and I point out that 
actually we’ve changed the rules recently that allows us now on 
this side of the Hill to criticize the other side of the Hill for its lack 
of action. We’ve actually passed this bill on the House side from the 
whole — the House of Representatives has passed it out. It has not 
been acted on by the Senate. The Senate is a complicated body, and 
we hope that by passing this again, and maybe again and again — 
we actually passed the Bankruptcy Act eight times before they 
passed it on the other side. So I agree with the gentleman and his 
concerns and wish that this issue were actually behind us. And 
hopefully we’ll take that step today to do that. 

I just might also point out that there’s a difference between mon- 
itoring phone calls and comparing numbers that people are calling 
to connect those phone calls to our enemies outside the country, 
without arguing for the rightness of any of that, just to make the 
distinction on the record here. 

Without objection, all Members may place their statements in 
the record at this point. Hearing no objection, so ordered. 

Without objection, the Chair will be authorized to declare re- 
cesses of the hearing at any point. Hearing no objection, so ordered. 

I ask unanimous consent that the Members have 5 legislative 
days to submit written statements for inclusion in today’s record. 
Hearing no objection, so ordered. 

I’m now pleased to introduce the witnesses for today’s hearing, 
three of whom have previously testified before our Subcommittee. 
We welcome you back and appreciate your continued assistance to 
our Subcommittee. 

Our first witness is Maureen Cooney, the Acting Chief Privacy 
Officer for the Department of Homeland Security. As I previously 
noted, the Subcommittee played a major role in establishing Ms. 
Cooney’s office at DHS. The legislation creating her office not only 
mandated the appointment of a Privacy Officer, but specified the 
officer’s responsibilities. 

One of the principal responsibilities of the DHS Privacy Officer 
as set out by statute is the duty to assure that “the use of tech- 
nologies sustain, and do not erode, privacy protections relating to 
the use, collection, and disclosure of personal information.” In addi- 
tion, the Privacy Officer must assure that personal information is 
handled in full compliance with the Privacy Act and assess the pri- 
vacy impact of the Department’s proposed rules. 

Before joining DHS’ Privacy Office, Ms. Cooney worked on inter- 
national privacy and security issues at the U.S. Federal Trade 
Commission where she served as a principal liaison to the Euro- 
pean Commission for privacy issues, a very difficult and burden- 
some task. I’m sure, especially eating in French restaurants on oc- 
casion. I hope you had that opportunity. You don’t need to — no in- 
criminating statement is due on that. 

She also played a major role in the revision of the guidelines for 
information systems and networks for the Organization of Eco- 
nomic Cooperation and Development. Prior to that assignment, Ms. 



8 


Cooney worked on privacy and security issues with the Treasury 
Department and at the Office of the Comptroller of the Currency. 
Ms. Cooney received her bachelor’s degree in American Studies 
from Georgetown University and her law degree from Georgetown 
University Law Center. 

Our next witness is Jane Horvath, the recently appointed Chief 
Privacy Officer and Civil Liberties Officer for the Department of 
Justice. In this capacity, Ms. Horvath is responsible for reviewing 
the Justice Department’s compliance with the privacy laws and 
with developing the Department’s privacy policies. In addition to 
safeguarding privacy, Ms. Horvath oversees the Department’s poli- 
cies relating to the protection of individual civil liberties, specifi- 
cally in the context of DOJ’s counterterrorism and law enforcement 
efforts. These are really awesome responsibilities. Before joining 
the Justice Department, Ms. Horvath was the Director of the 
Washington, D.C., Office of Privacy Laws and Business, a privacy 
consulting firm. While there, she focused on advising U.S. compa- 
nies on international privacy trends among other matters. Ms. 
Horvath received her undergraduate degree from the College of 
William and Mary and her law degree from the University of Vir- 
ginia. 

Professor Sally Katzen is our next witness. Ms. Katzen is a vis- 
iting professor at George Mason University Law School as well as 
the Sachs Scholar at Johns Hopkins University. Next year, she will 
be a Public Interest, Public Service Faculty Fellow at the Univer- 
sity of Michigan Law School. Prior to joining academia in 2001, 
Professor Katzen was responsible for developing privacy policy for 
the Clinton administration for nearly a decade. As the Adminis- 
trator of the Office of Information and Regulatory Affairs at the Of- 
fice of Management and Budget, she was effectively the chief infor- 
mation office — policy official for the Federal Government. Her re- 
sponsibilities included developing Federal privacy policies. Pro- 
fessor Katzen later served as the Deputy Assistant to the President 
for Economic Policy and Deputy Director of the National Economic 
Council in the White House. Thereafter, she became the Deputy Di- 
rector for Management at 0MB. Before embarking on her public 
service career. Professor Katzen was a partner in the Washington, 
DC, law firm of Wilmer, Cutler and Pickering, where she special- 
ized in regulatory and legislative matters. Professor Katzen grad- 
uated magna cum laude from Smith College and magna cum laude 
from the University of Michigan Law School, where she was editor 
in chief of the Law Review. Following her graduation from law 
school, she clerked for Judge J. Skelly Wright of the United States 
Court of Appeals for the District of Columbia Circuit. 

Our final witness is Linda Koontz, who is the Director of GAO’s 
Information Management Issues Division. In that capacity, she is 
responsible for issues regarding the collection and use and dissemi- 
nation of Government information. Ms. Koontz has led GAO’s in- 
vestigations into the Government’s data-mining activities as well 
as e-Government initiatives. In addition to obtaining her bachelor’s 
degree from Michigan State University, Ms. Koontz received certifi- 
cation as a Government financial manager. 

I extend to each of you my warm regards and appreciation for 
your willingness to participate in today’s hearing. In light of the 



9 


fact that your written statements will be included in the hearing 
record, I request that you limit your oral remarks to 5 minutes. Ac- 
cordingly, please feel free to summarize highlights of your — or 
highlight the salient points of your testimony. You will note that 
we have a lighting system that starts with a green light. After 4 
minutes, it turns to a yellow light, and then at 5 minutes, it turns 
to a red light. It is my habit to tap the gavel at 5 minutes. We’d 
appreciate it if you’d finish up your thoughts within that time 
frame. We don’t like to cut people off in their thinking, but I find 
that it works much better if everybody knows that 5 minutes is 5 
minutes. So if you could wrap it up by that time, the time we get 
there, I would appreciate that, and I will try to be consistent in my 
tapping, and that includes for other Members of the Committee, 
who are given 5 minutes to ask questions. This is not like an iron- 
clad rule, by the way. Just we actually are interested in what you 
have to say, not in the clock. 

After you’ve presented your remarks, the Subcommittee Mem- 
bers, in the order they arrived, will be permitted to ask questions 
of the witnesses, subject to the 5-minute limit. 

Pursuant to the direction of the Chairman of the Judiciary Com- 
mittee, I ask the witnesses to please stand and raise your right 
hand to take the oath. 

[Witnesses sworn.] 

Mr. Cannon. The record should reflect that each of the witnesses 
answered in the affirmative, and you may be seated. 

Ms. Cooney, would you now please proceed with your testimony? 

TESTIMONY OF MAUREEN COONEY, ACTING CHIEF PRIVACY 

OFFICER, U.S. DEPARTMENT OF HOMELAND SECURITY, 

WASHINGTON, DC 

Ms. Cooney. Thank you. Chairman Cannon, Ranking Member 
Watt, and Members of the Committee, good afternoon. Thank you 
for the opportunity to speak to the issue of privacy in the hands 
of the Federal Government and most specifically on activities at 
the Department of Homeland Security, the role of the Chief Privacy 
Officer, and initiatives led by the Department’s Privacy Office. 

As the Subcommittee well knows, the Department of Homeland 
Security was the first Federal agency to have a statutorily required 
Privacy Officer. We appreciate the support of this Committee. The 
inclusion of a senior official accountable for privacy policy and pro- 
tections honors the value placed on privacy as an underpinning of 
our American freedoms and democracy. It also reflects Congress’ 
understanding of the growing sensitivity and awareness of the 
ubiquitous nature of personal data, flows in both private and public 
sectors, and a recognition of the impact of those data flows upon 
our citizens’ lives. 

At the most recent meeting of the Department’s Data Privacy 
and Integrity Advisory Committee, which was created to advise the 
Secretary and the Chief Privacy Officer on significant privacy 
issues. Secretary Chertoff noted that the Department has the op- 
portunity to build into the sinews of this organization respect for 
privacy and a thoughtful approach to privacy. 

Secretary Chertoff expressed a belief that I share. We want the 
Government to be a protector of privacy, and we want to build se- 



10 


curity regimes that maximize privacy protection and that do it in 
a thoughtful and meaningful way. If done right, it will be not only 
a long-lasting ingredient of what we do in Homeland Security but 
a very good template for what Government ought to do in general 
when it comes to protecting people’s personal autonomy and pri- 
vacy. 

The Chief Privacy Officer and the DHS Privacy Office have a 
special role working in partnership and collaboration across the De- 
partment to integrate privacy into the consideration of the ways in 
which the Department assesses its programs and uses technologies, 
handles information, and carries out our protective mission. 

The Privacy Office has oversight of privacy policy matters and in- 
formation disclosure policy, including compliance with the Privacy 
Act of 1974, the Freedom of Information Act, and the completion 
of privacy impact assessments on all new programs or new collec- 
tions of personal information as required by the E-Government Act 
of 2002 and section 222 of the Homeland Security Act of 2002. 

The Privacy Office also evaluates new technologies used by the 
Department for their impact on personal privacy. Further, the 
Chief Privacy Officer reports directly to the Secretary and is re- 
quired to report to Congress on these matters, as well as on com- 
plaints about possible privacy violations. 

At this point, if I may, I would like to amplify my written testi- 
mony by speaking for a few minutes about the tJ.S. privacy frame- 
work that applies to the Federal space. In tandem, the Privacy Act 
of 1974, the Freedom of Information Act that promotes trans- 
parency of Government operations and accountability, a significant 
privacy principle, and the E-Government Act of 2002 that aug- 
mented the Privacy Act by operationalizing privacy reviews for all 
new major data collection systems or significant changes to infor- 
mation systems provide a robust umbrella of privacy protections for 
which the United States can be proud and which I believe is second 
to none in the Government space. Notice, transparency, and ac- 
countability are key to our work in the privacy area. 

Today, I’m very happy to address our efforts in this regard with 
respect to the activities of the Department of Homeland Security 
from a seat at the table during the investment review process at 
DHS for technology acquisitions and program funding, through all 
steps of the technology and program lifecycle development process, 
the use of PIAs to integrate privacy considerations into standards, 
strategic planning for programs at the Department, and notice to 
the public through systems of record notices, to audits and over- 
sight and the development of policy guidance and implementation 
on key data issues. 

I thank you again for the opportunity to share the accomplish- 
ments of the DHS Privacy Office, which I have noted in our written 
testimony, and hope to demonstrate through both the written and 
oral testimony the importance of privacy in the hands of the De- 
partment of Homeland Security and how important it is as a part 
of our culture. We appreciate the support this Subcommittee has 
given to our office and look forward to working with you on matters 
of mutual interest and concern. 

Thank you again. 

[The prepared statement of Ms. Cooney follows:] 



11 


Prepared Statement of Maureen Cooney 

Chairman Cannon, Ranking Member Watt, and Members of the Subcommittee, I 
am delighted to be back before you today to discuss Privacy in the Hands of the 
Government as it pertains to activities of the Department of Homeland Security and 
the efforts of the Privacy Office. Building privacy attentiveness into the very sinews 
of our still young agency is a responsibility that we take seriously at DHS. 

In the eight months that I have served as Acting Chief Privacy Officer, within 
the Privacy Office we have continued to develop and operationalize privacy policy 
for the Department, consistent with our statutory mission in Section 222 of the 
Homeland Security Act and with support and partnership throughout the Depart- 
ment. And as I hope the following testimony will demonstrate, we have been ac- 
tively implementing our statutory responsibilities as part of the larger mission of 
the Department. By ensuring that the Department’s programs, policies, personnel, 
and technologies account for and embrace fair information principles — the use of 
personal information for legitimate, tailored, and sound purposes — the Privacy Of- 
fice has worked to enhance public trust in the Department and to ensure the protec- 
tion of an essential right of our people. 

My predecessor, Nuala O’Connor Kelly, testified before this Subcommittee in Feb- 
ruary 2004, and outlined the first year activities of the DHS Privacy Office. I would 
like to update the Subcommittee on our continued work since that time and our 
plans for future initiatives. 

The Privacy Office has focused on making privacy an integral part of DHS oper- 
ations. We often use the phrase “operationalizing privacy” to describe these efforts. 
We want DHS personnel to think about privacy every time they consider the collec- 
tion, use, maintenance or disclosure of personally identifiable information. Our ef- 
forts to operationalize privacy have encompassed a number of activities. 

OPERATIONALIZING PRIVACY THROUGH COMPLIANCE 

One way to operationalize privacy is to ensure that DHS is fully compliant with 
statutory privacy requirements and the DHS Privacy Office has been actively en- 
gaged in this effort. 

In my previous appearance before the Subcommittee, which focused on the use by 
the government of data from information resellers, I outlined for the Subcommittee 
how we have used the E-Government Act of 2002’s requirement that Privacy Impact 
Assessments be conducted for new or substantially revised information systems to 
make sure that privacy is built into DHS programs and that there is transparency 
about the types of information used by DHS as well as the purposes for which the 
information is used. PIAs are fundamental in making privacy an operational ele- 
ment within the Department and we have fully utilized this tool to embed privacy 
as part of DHS operations. 

To do this, we have updated and refined our guidance on conducting Privacy Im- 
pact Assessments and have distributed it widely both internally to DHS offices and 
programs and externally to other agencies. Along with the guidance, we also have 
issued a template for DHS offices to follow in drafting Privacy Impact Assessments. 
We have fully utilized our Privacy Office website for transparency purposes and 
have posted these documents so that the public is also aware of our guidance. 

“Imitation is the sincerest form of flattery,” according to an old expression, and 
I am happy to report that the DHS Privacy Office’s PIA Guidance has served as 
the basis for other agencies’ PIA activities. For example, our PIA template served 
as the basis for a model PIA for HSPD-12 (Common Identification Standards for 
Federal Employees) implementation, which was distributed by the Office of Manage- 
ment and Budget through its Interagency Privacy Committee. In addition, other fed- 
eral agencies have requested to liberally borrow the guidance and we are happy to 
be able to share it and to add to government efficiency and harmonization of ap- 
proaches to privacy in the government space. 

In addition to requiring that DHS programs conduct Privacy Impact Assessments 
for new or substantially revised programs, privacy is one of the issues that must 
be addressed before funding is awarded to a program that involves the collection, 
use and maintenance of personally identifiable information. The Privacy Office pro- 
vides significant support to the DHS Office of the Chief Information Officer (OCIO) 
in the budget process by ensuring that all proposed spending on information tech- 
nology investments that involve personally identifiable information meets privacy 
requirements. Not only are our programs required to complete a Privacy Threshold 
Analysis, which helps us to determine whether a full Privacy Impact Assessment 
is necessary, but funding for DHS programs through the budget process cannot go 
forward without program compliance with privacy mandates. The DHS Privacy Of- 



12 


fice therefore has a strong “stick” to accompany the “carrot” of funding to ensure 
that privacy becomes operationalized in DHS programs. 

Privacy compliance reviews are another important tool for operationalizing pri- 
vacy into DHS programs, and during this past year, the Privacy Office undertook 
the first privacy review of what we expect to he many when we analyzed compliance 
by the U.S. Customs and Border Protection (CBP) with its Passenger Name Record 
(PNR) Undertakings. These Undertakings were provided by CBP to the European 
Commission in order to demonstrate that CBP has adequate privacy protocols in 
place to protect personally identifiable information as a condition precedent to re- 
ceiving PNR information about European airline passengers. Based on the Under- 
takings, the EU agreed to share passenger name record information with CBP in 
order to fight terrorism and other serious crimes as well as to facilitate transatlantic 
travel. 

The Privacy CfPice’s compliance review consisted of a full analysis of CBP policies 
and procedures, interviews with key managers and staff who handle PNR, and a 
technical review of CBP systems and documentation. This compliance review oc- 
curred over a several-month period and as a result of changes recommended by the 
Privacy Office or made unilaterally by CBP, we were able to conclude that CBP 
achieved full compliance with the representations it had made in the Undertakings. 
This finding was the primary factor in the ability of the Privacy Office to conclude 
a successful joint review, with representatives of the EU, of CBP’s compliance with 
the US-EU PNR Agreement. 

We conducted a different kind of compliance review when we examined the use 
of commercial data by the Transportation Security Administration (TSA) in connec- 
tion with the Secure Flight Program after privacy concerns were raised by the Gov- 
ernment Accountability Office. We analyzed whether TSA’s public notices about this 
use of commercial data for testing purposes matched the actual test protocols and 
made recommendations, as a result of this review. The Privacy Office continues to 
work closely with TSA to implement privacy statutory requirements and best prac- 
tices in the design and implementation of this as well as other TSA screening pro- 
grams. 

In compliance with the requirements of the Computer Matching and Privacy Pro- 
tection Act, as amended, the Privacy Office established a Privacy and Data Integrity 
Board to approve matching agreements undertaken by DHS components, as re- 
quired by law, and to weigh in on privacy policy issues of interest and concern to 
the Department. Our Board held several meetings at which we discussed ideas for 
responsible information handling, and the Board was instrumental in assisting the 
Privacy Office in completing several required reports. 

Ensuring publication of appropriate Privacy Act systems of records notices 
(SORNs) rounded out the Privacy Office’s compliance activities. These notices, in 
fact, necessarily are a regular and ongoing part of the Privacy Office’s work and of 
our statutory obligation to ensure that the Department maintains personally identi- 
fiable information in conformity with the requirements of the Privacy Act. 

OPERATIONALIZING PRIVACY THROUGH EDUCATION 

A significant way to increase privacy awareness and ensure that it is embedded 
in DHS is through education and training. The Privacy Office trains all new DHS 
employees as part of their overall orientation to the Department. We continue to de- 
velop, moreover, more robust training courses to be provided to all DHS employees 
and contractors to augment their privacy background and to raise awareness and 
sensitivity about the importance of the respectful use of personal information by the 
Department. And we have conducted training on Privacy Impact Assessment re- 
quirements for individual DHS offices, information technology managers, business 
managers, and systems analysts. Establishing the lines of communication between 
DHS personnel and our office through these training programs helps us to get our 
message across and helps employees to be sensitized to proper information handling 
techniques. 

Our component privacy officers also make sure that employees in our components 
and offices are provided robust privacy training. I would be remiss, in fact, if I didn’t 
emphasize the close collaboration and rapport our office has with other privacy offi- 
cers in the Department, who were installed at our urging and who help the DHS 
Privacy Office carry out our important work 

In addition to our general education and training programs, the Privacy Office has 
conducted two workshops intended to raise privacy awareness among DHS per- 
sonnel as well as the public. These workshops have drawn subject matter experts 
together to discuss privacy issues raised by homeland security programs. The issues 



13 


we have explored are both relevant and topical. We have posted both transcripts 
and summaries of our activities on our website. 

I mentioned in my April 4, 2006 testimony before this Subcommittee that we had 
conducted a workshop on the government’s use of commercial data for homeland se- 
curity purposes. The objective of that workshop was to look at the policy, legal and 
technology issues associated with the government’s use of commercial data in home- 
land security programs. Just last week our Privacy and Data Integrity Board held 
preliminary discussions on development of a policy regarding the use of commercial 
data by DHS, and the information we gleaned from our workshop will be helpful 
as we move forward on this vital issue. 

Last month, we conducted another workshop on the use of personal information 
by the government and how we can achieve transparency and accountability. This 
workshop sparked discussions about the utility of privacy notices to accomplish 
transparency and how those notices can be written in a way that is comprehensible 
while it is also comprehensive. We also discussed the utility of the Freedom of Infor- 
mation Act for fostering accountability through access to information about individ- 
uals that is maintained by the government. We were fortunate to have several panel 
members from other nations who could contribute a global perspective on this issue. 
Again, the workshop complemented our internal training efforts to raise privacy 
awareness and also served an important educational function to improve public un- 
derstanding of DHS programs. 

INFORMATION SHARING AND OUTREACH 

Information sharing has become a significant focus of the DHS Privacy Office. The 
Intelligence Reform and Terrorism Prevention Act established requirements for an 
information sharing environment. This legislative mandate augmented Executive 
Orders and Homeland Security Directives issued by President Bush all aimed at fos- 
tering a climate of robust exchanges of terrorism related information in a privacy 
sensitive manner. Executive Order 13366, for example, directed all departments and 
agencies to enhance the interchange of terrorism-related information within the 
Federal government and between the Federal government and appropriate authori- 
ties of state and local governments. The DHS Privacy Office led the effort to inte- 
grate privacy protections into the planning process supporting the implementation 
of this Executive Order. 

Similarly, the DHS Privacy Office led the effort within DHS to integrate privacy 
protections at the earliest stages of implementing HSPD-11, a Presidential directive 
that concerns terrorist-related screening procedures. Within DHS, moreover, the 
Privacy Office has supported the work of the Information Sharing and Collaboration 
Office (ISCO), which was established to lead the creation of a DHS information 
sharing environment. The Privacy Office provided both resources and guidance to 
ISCO to help create a set of business rules for sharing personal information in a 
way that minimizes privacy intrusions while meiximizing use of the data for home- 
land security purposes. 

The Privacy Office also participated in a number of interagency activities designed 
to foster inter-agency exchanges of information on privacy technologies and other 
privacy issues. We chair, for example, the Social, Legal and Privacy Subgroup of the 
National Science and Technology Council’s (NSTC) Subcommittee on Biometrics. Es- 
tablished by Executive Order, NSTC is the principal means by which the President 
coordinates science, space, and technology policy across the government. NSTC’s 
Subcommittee on Biometrics has examined issues related to the development and 
use of biometric technologies in the Federal government and the Social, Legal and 
Privacy Subgroup was responsible for developing a rich, centralized repository of in- 
formation about the social history of biometrics, the legal framework that applies 
to the collection and use of biometrics, and the privacy principles that should govern 
the responsible use of this technology. Analysis of this repository and actual imple- 
mentations resulted in a paper that connects privacy and biometrics at a structural 
level so that both fields can be understood within a common framework, thus ena- 
bling federal agencies and public entities to implement privacy-protective biometric 
systems. 

We have also begun coordinating with the White House’s Privacy and Civil Lib- 
erties Oversight Board on information sharing and other relevant issues. Through 
this work, the DHS Privacy Office is able to foster interagency cooperation, coordi- 
nation and collaboration on privacy matters. 

The Privacy Office has also reached out to experts in the private sector to help 
us understand programmatic, policy, operational and technology issues that affect 
privacy, data integrity, and data interoperability. To that end, in April 2004, the De- 
partment chartered the Data Privacy and Integrity Advisory Committee (DPIAC) 



14 


under the authority of Federal Advisory Committee Act to provide an external and 
expert perspective to the Secretary and Chief Privacy Officer. The DHS Privacy Of- 
fice provides administrative and managerial support to the DPIAC. In return, the 
Committee has provided significant advice to the Chief Privacy Officer and the Sec- 
retary on important privacy considerations. The Committee offered its recommenda- 
tions on TSA’s Secure Flight Program, which have helped the DHS Privacy Office 
to formulate its own advice on this significant initiative. The Committee also pro- 
vided guidance on the Use of Commercial Data to Reduce False Positives in Screen- 
ing Programs, which will help inform any final policy that the Privacy Office rec- 
ommends on this important topic. We expect to continue to get advice from the Com- 
mittee on other issues of interest to the Department. 

INTERNATIONAL INITIATIVES 

Because the work of the Department is hoth national and international in scope, 
the work of the DHS Privacy Office is equally hroad. The primary goal of the DHS 
Privacy Office’s international activities has been to convey to the global community 
the importance of fair information practices to our office, the Department and the 
nation. We have devoted significant resources to working with programs in multilat- 
eral global forums, such as the OECD, as well region-centric international organiza- 
tions such as the Asian Pacific Economic Cooperation forum (APEC). In addition, 
of course, the Privacy Office works with the European Union and on issues raised 
by the Joint Supervisory Body representatives of Europol and Eurojust. 

We have had substantial input on a number of international privacy initiatives, 
including the Enhanced International Travel Security Initiative (EITS), under the 
leadership of DHS’s Science and Technology Directorate and US-VISIT, and real- 
time sharing of lost and stolen passports in a way that properly protects privacy, 
through an APEC-sponsored initiative known as the Regional Movement Alert List. 
The Privacy Office also works more generally within international organizations to 
shift the international privacy dialogue away from conflicting laws to compatible 
privacy principles in order to foster information sharing for homeland security and 
other necessary purposes. Our work has been helpful in improving international 
opinion regarding the United States Government’s attention to privacy principles in 
the design and operation of information systems. 

FUTURE ACTIVITIES 

As I hope the foregoing demonstrates, the DHS Privacy Office takes a comprehen- 
sive approach to its statutory mission and has worked on a wide range of initiatives 
to ensure that privacy policy concerns are part of the necessary dialogue on the de- 
velopment and implementation of homeland security programs. We have been fortu- 
nate that Congress has provided funding to allow us to expand our staff of dedicated 
privacy professionals whose credentials rival those of anyone in the government or 
the private sector. And we are energized as we look ahead to some future activities. 

We recently completed a draft of a report on data mining, which is required by 
the 2005 DHS Appropriations Act, and we expect to continue our study of data min- 
ing programs at the Department in the coming year. Data mining can be a useful 
and important tool in the war against terrorism, and we are committed to ensuring 
that this technique is used responsibly and appropriately at DHS. 

We have already planned our next privacy workshop to focus on Privacy Impact 
Assessments. This timely session will enable DHS program officers to comply with 
the privacy requirements necessary for approval of their funding requests. We are 
also finalizing arrangements for the next DPIAC meeting, which will be held in 
California, and which will focus on expectations of privacy in public spaces and the 
use of RFID technology, two issues that have significant ramifications for Depart- 
mental activities. 

We plan to work closely with the OCIO to build privacy protections into every sys- 
tem across DHS, and we intend to collaborate with the Science and Technology Di- 
rectorate to add privacy protections to the approval process for new homeland secu- 
rity research initiatives. 

Because they are our “bread and butter” issues, the DHS Privacy Office will also 
continue to work to ensure that individual programs sustain and enhance privacy 
protections through strict compliance with the PIA and SORN requirements of fed- 
eral law. We will continue to refine our privacy guidance and enhance our privacy 
training initiatives to foster a culture of privacy awareness within the agency. 

We expect to complete development of a policy for the respectful and appropriate 
use of commercial data for homeland security purposes. And we anticipate that in 
the international arena, we will continue to be an important voice for the develop- 
ment of privacy-appropriate cross-border information sharing policies. 



15 


Thank you for the opportunity to share the accomplishments of the DHS Privacy 
Office and to demonstrate, through this testimony, the importance of privacy “in the 
hands” of the Department of Homeland Security. We appreciate the support this 
Subcommittee has given to our office and look forward to working with you on mat- 
ters of mutual interest and concern. 

Mr. Cannon. Thank you, Ms. Cooney. 

Ms. Horvath, you are recognized for 5 minutes. 

TESTIMONY OF JANE C. HORVATH, CHIEF PRIVACY AND CIVIL 

LIBERTIES OFFICER, U.S. DEPARTMENT OF JUSTICE, WASH- 
INGTON, DC 

Ms. Horvath. Mr. Chairman and Members of the Subcommittee, 
thank you for inviting me to testify regarding the Department of 
Justice Privacy and Civil Liberties Office in connection with the 
Committee’s hearing. 

I started as the Ilepartment of Justice’s Chief Privacy and Civil 
Liberties Officer on February 21 , 2006. I am responsible for De- 
partment-wide protection of privacy and civil liberties. During my 
first 30 days at the Department of Justice, we assessed the existing 
privacy and civil liberties functions at the Department. I met with 
senior officials of the DOJ components that had either privacy or 
civil liberties responsibilities within the Department. At all of these 
meetings, I was welcomed with enthusiasm. I received detailed 
briefings regarding their privacy and civil liberties efforts. From 
those meetings, we were able to determine priorities for the Office 
of Privacy and Civil Liberties. 

After meeting with the Chief Information Officer, we decided to 
centralize the privacy impact assessment process. We determined 
that the PIA process within the Department would be much more 
effective if all the components were working from a standard tem- 
plate with standard guidance. Utilizing some of the aspects of the 
DHS model, we drafted official PIA guidance, a privacy threshold 
analysis to determine whether a PIA is required, and a new PIA 
template. Next month, we’re going to hold a 1-day training session 
on PIA preparation and Privacy Act issues with members of the 
CIO staff and persons within the components who are responsible 
for Privacy Act issues. 

In furtherance of our civil liberties missions, we set up and 
launched a DOJ Privacy and Civil Liberties Board on April 17, 
2006. Representatives of the law enforcement, national security, 
and other relevant components are represented on the Board. We 
have subdivided the Board into three separate committees: an Out- 
reach Committee, focusing on outreach to the Arab, Muslim, and 
other ethnic or religious minority communities; a Data Committee, 
examining issues related to information privacy within the Depart- 
ment; and a Law Enforcement Committee, providing a forum for 
law enforcement to discuss effort that might have an impact on 
civil liberties or privacy. 

Shortly after I arrived, we started to reach out to privacy advo- 
cacy and public policy groups. We’ve met with representatives from 
the ACLU, Center for Democracy and Technology, Cato Institute, 
Heritage Foundation, the Center for Information Policy Leadership 
at Hunton and Williams, and Peter Swire, the former Chief Coun- 
selor for Privacy in the U.S. Office of Management and Budget. 



16 


We’ve also been active in intergovernmental groups and efforts. 
We believe that by working together as a group, privacy officers 
within the Government can utilize each other’s collective experi- 
ence. 

Our office has also been active in advising the Department of in- 
formation-sharing initiatives. While information sharing is an in- 
credibly important initiative for our security, it also involves impor- 
tant privacy and civil liberties issues. We are pleased that the Ad- 
ministration and the Attorney General has recognized the impor- 
tance of addressing these issues at the inception of information- 
sharing programs. 

Since my arrival, I have co-chaired the President’s Information 
Sharing Environment Guideline 5 Working Group with Alex Joel, 
the Director of National Intelligence Civil Liberties Protection Offi- 
cer. Guideline 5 of the December 16th memorandum from Presi- 
dent George W. Bush requires, in relevant part, that the Attorney 
General and the Director of National Intelligence develop guide- 
lines designed to be implemented by executive departments and 
agencies to ensure that the information privacy and other legal 
rights of Americans are protected in the development and use of 
the ISE, including in the acquisition, access, use, and storage of 
personally identifiable information. We also look forward to work- 
ing with the President’s Privacy and Civil Liberties Oversight 
Board on the guidelines. 

The Privacy and Civil Liberties Office also oversees the Depart- 
ment’s compliance with the Privacy Act of 1974 and plays an active 
role in ensuring that the Department’s law enforcement, litigation, 
and anti-terrorism missions are carried out in accordance with its 
provisions. We also provide Privacy Act guidance within the De- 
partment, both in response to specific inquiries raised by the com- 
ponents and through training programs. 

Although I have only been at DOJ a short while, my arrival has 
been greeted with enthusiasm. We have been consulted on numer- 
ous initiatives. In the coming year, we hope to launch new efforts, 
such as more extensive privacy and civil liberties training, that will 
further the office’s mission of protecting the privacy and civil lib- 
erties of those who interact with the Department of Justice. 

Thank you for the opportunity to speak today. 

[The prepared statement of Ms. Horvath follows:] 



17 



Prepared Statement of Jane C. Horvath 


icparteient d Iwite 


STATEMENT 

Of 

JANE C. HORVATH 

CHIEF PRIVACY AND CIVIL LIBERTIES OFFICER 


BEFORE THE 


SUBCOMMITTEE ON COMMERFCAL AND ADMTNTSTRATTVE LAW 
COMMITTEE ON THE JUDICIARY 
UNITED STATES HOUSE OF REPRESENTATIVES 


CONCERNING 

THE PRIVACY AND CIVIL LIBERTIES OFFICE 


PRESENTED ON 


MAY 17, 2006 



18 


Mr. Chairman and Members of the Subcommittee: Thank you for inviting me to testify 
regarding the Privacy and Civil Liberties Office in connection with the Committee’s hearing, 

I. THE CHIEF PRIVACY AND CIVIL LIBERTIES OFFICER 

In February 2006, the Department created a senior position in the Office of the Deputy 
Attorney General for a new' official W''ho wall serve as the Department’s Chief Privacy and Civil 
Liberties Officer. DO.T was well into the hiring process for this position in January w'hen 
Congress passed the Department of Justice Reauthorization Act of 2005 calling for the Attorney 
General to designate a senior official in the Department of Justice to assume primaiy 
responsibility for privacy policy. The Act provided that the responsibilities of such official shall 
include advising the Attorney General regaiding { 1) appropriate privacy protections, relating to 
the collection, storage, use, disclosure, and security of personally identifiable information, with 
respect to the Department's existing or proposed information technology and information 
systems; (2) privacy implications of legislative and regulatory proposals affecting the 
Department and involving the collection, storage, use, disclosure, and security of personally 
identifiable information; (3) implementation of policies and procedures, including appropriate 
training and auditing, to ensure the Department's compliance with privacy-related law's and 
policies, including the Privacy Act and the E-Govemment Act of 2002; (4) ensuring that 
adequate resources and staff are devoted to meeting the Department's privacy-related functions 
and obligations; (5) appropriate notifications regarding the Department's privacy policies and 
privacy-related inquiry and complaint procedures; and (6) privacy-related reports from the 
Department to Congress and the President. 



19 


After much discussion within the Department, the decision was made to combine the 
information privacy and civil liberties protection responsibilities into one position. This is a 
combination that the Depaitment believes makes sense operationally. I started at the DOJ as the 
Chief Privacy and Civil Liberties Officer on February' 21. 2006. \s the Chief Privacy and Civil 
Liberties Officer. T am responsible for Department wide protection of privacy and civil liberties. 

I think it might be helpful to you for me to provide you with a little of my background. 
Prior to my appointment at DOJ, 1 started the Washington, D.C. office of Privacy Laws & 
Business, a privacy consulting firm based in the United Kingdom. My responsibilities focused 
on advising U.S, companies on conducting their business in Europe in light of the EU Data 
Protection Directive. 1 spent six years at America Online. Inc. where 1 was Assistant General 
Counsel of America Online, Tnc. and General Counsel of Digital City, Tnc„ a subsidiary of 
America Online, Inc, 1 helped draft the first privacy policy for the America Online Service, also 
one of the first in the industry, in 1 996, 1 was a guest lecturer on protecting the privacy of AOL 
members at the Association of Attorneys' General Meeting. Prior to working at America Online, 
1 was an Associate at Hogan & Hartson, where my focus was on the representation of high 
technology clients. T started my legal career at Gibson, Dunn & Crutcher. 

Currently the Privacy and Civil LibertiefS Office is made up of two Senior Counsel from 
the Office of the Deputy Attorney General, and three experienced Privacy Act attorneys who 
were formerly with the Office of Information and Privacy. We are in the process of hiring 
additional staff. 


- 2 - 



20 


TT. RESPONSIBILITIES OF THE PRIVACY AND CIVIL LIBERTIES OFFICE 

During my first thirty days at DOJ, we assessed the existing privacy and civil liberties 
functions at the Department. 7 met with the Inspector General: the Assistant Attorney General, 
Office of Legal Policy; Assistant Attorney General, Civil Division; the Chief Information 
Officer; and the Privacy Officer of the Federal Bureau of Investigation; and many others that had 
either privacy or civil liberties responsibilities within the Department. At all of these meetings I 
was welcomed with enthusiasm. 1 received detailed briefings regarding their privacy and civil 
liberties efforts. From those meetings we were able to develop an action plan for the Office of 
Privacy and Civil Liberties. 

After meeting with the Chief Information Officer, we decided to centralize the Privacy 
Impact Assessment (PIA) process. PlAs are required by Section 208 of the E-Government Act 
for all Federal government agencies that develop or procure new technology involving the 
collection, maintenance, or dissemination of personally identifiable information: or that make 
substantial changes to existing technology for managing information in identifiable form. A 
PIA is an analysis of how' personally identifiable information is collected, stored, protected, 
shared, and managed. (We note that although they are excluded from the statute, we do require 
PlAs for our national security systems.) 

We determined that the PIA process w'idiin die Department w'ould be much more 
effective if all components were working from a standard template wdth standard guidance. 
Utilizing some of the aspects of the DHS model, we drafted Official PTA Guidance; a Privacy 


- 3 - 



21 


Threshold Analysis to determine whettier a PIA is required; and a new PIA Template. Next 
month, we are going to hold a one day training session on PIA prepai'ation and Privacy Act 
issues with members of the CIO staff and persons within the components who are responsible for 
Privacy Act issues. 

In furtherance of our civil liberties missions, w'e set up and launched a DOJ Privacy and 
Civil Libeities Board on April 17. 2006. Representatives of the law enforcement, national 
security, and other relevant components are represented on the Board. We have subdivided the 
board into three separate committees: Outreach Committee, Data Committee and the Law 
Enforcement Committee. 

The function of the Outreach Committee is to survey and coordinate existing 
Departmental outreach effons with respect to the .Arab. Muslim and other ethnic or religious 
minorities w'hich may be affected by the War on Terrorism. We will also implement additional 
outreach to these communities as needed. The Data Committee will e.x.amine issues related to 
information privacy within the Department. Its first task will be to respond to recommendations 
in the April 2006 GAO report entitled Personal Information Agency and Reseller Adherence to 
Key Privacy Principles. Specifically, the committee will anal>' 2 e the Department’s use of 
information reseller data and propose Departmental polic>'^ with regard to such use. Information 
resellers are companies that collect information, including pei'sonai information about 
consumers, fi'om a wide variety of sources for the purpose of reselling such infoimation to their 
customers, w'hich includes the Government. The Law Enforcement Committee will focus on law 
enforcement efforts that might have an impact on civil liberties or privacy. Some members of 


- 4 - 



22 


the Board sit on multiple committees. The co mmi ttees will meet once a month, with the entire 
Board meeting at least twice a year or more often as needed to approve Committee initiatives. 

Shortly after 1 arrived, we started to reach out to privacy advocacy and public policy 
groups. We have met with representatives from the ACLU. Center' for' Democracy and 
Technology, Cato Institute and Heritage Foundation. We have also met with Peter Swire, the 
former Chief Counselor for Privacy in the U.S. Office of Management and Budget and the 
Center for Information Policy Leadership at Hunton & Williams LLP. Through these meetings 
we hope to keep up a dialog with the privacy comraunity. 

We have also been active in intergovernmental groups and eftbrts. We believe that by 
working together as a group, privacy officers within the Cover-nment can utilize each others 
collective experience. Last week Daniel Suthlerland. Officer for Civil Rights and Civil Liberties 
at the Department of Homeland Security, hosted an event for privacy and. civil liberties officers 
working in the national security and law enforcement agencies. We are planning to continue 
these meetings on a monthly basis in order for us to share experiences and ideas. Maureen 
Cooney, DHS acting Chief Privacy Officer, has asked me to participate at a DHS privacy office 
workshop in June on Privacy Impact Assessments. 

Our office has also been active in advising the Department on information sharing 
initiatives. While information sharing is an incredibly important initiative for our security, it 
also involves important privacy and civil liberties issues. We are pleased that the Administration 


- 5 - 



23 


and the Attorney General has recognized die importance of addressing these issues at the 
inception of infoimation shaiing progr ams 

Since my arrival, 1 have co-chaired the President's Information Sharing Environment 
Guideline 5 Working Group with Alex Joel, the Director of National Intelligence Civil Liberties 
Protection Officer. The Guideline 5 initiative is in response to the December 16, 2005 
Memorandum from President George W. Bush to die Heads of Executive Departments and 
Agencies, Subject: Guidelines and Requirements in Support of the Infornuition Sharing 
Environment. Guideline 5 of the Memorandum requires, in relevant part, that the Attorney 
General and the Director of National Intelligence: ‘‘(A) conduct a review of current executive 
department and agency information sharing policies and procedures regarding the protection of 
information privacy and other legal rights of Americans” and "(B) develop guidelines designed 
to be implemented by executive departments and agencies to ensure that the information privacy 
and other legal rights of Americans are protected in the development and use of the ISE, 
including in the acquisition, access, use, and storage of personally identifiable infoimation.” The 
working group was comprised of representatives of all of the agencies paiticipating in the TSE. 
The working group is working to develop the guidelines required under the statute. We also 
look forw'ard to working with the President’s Privacy and Civil Liberties Oversight Board on the 
guidelines. 


The Privacy and Civil Liberties Office also oversees the Department's 
compliance with the Privacy Act of 1974 and plays an active role in ensuring that the 
Department’s law enforcement, litigation, and anti-terrorism missions are carried out in 


- 6 - 



24 


accordance with its provisions. This is especially evident in our participation in the 
Department's Law Enforcement Information Sharing Program, in which we serve a vital role in 
ensuring that information sharing initiatives carried out in our effort to enforce the law are made 
in a manner that is consistent with the law. We also provide Privacy Act guidance within the 
Department, both in response to specific inquiries raised by the components and through training 
programs, drawing on the expertise in Privacy Act case law and analysis that my staff brought to 
this Office 


U1.C0NCLUS10IM 

Although T have been at DOJ only a short while, my arrival has been greeted with 
enthusiasm. We have been consulted on numerous initiatives. In the coming year, we hope to 
launch new effoits, such as more extensive privacy and civil liberties training, that will fuilher 
the office’s mission of protecting the privacy and civil Hbeiiies of those who interact with the 
Department of Justice. 


- 7 - 



25 


Mr. Cannon. Thank you, Ms. Horvath. 

Professor Katzen? 

TESTIMONY OF SALLY KATZEN, PROFESSOR, GEORGE MASON 
UNIVERSITY LAW SCHOOL, ARLINGTON, VA 

Ms. Katzen. Thank you, Mr. Chairman, Ranking Member Watt, 
other Members of the Committee. I appreciate the invitation for me 
to testify today, as I did several years ago, about Government poli- 
cies and practices that implicate privacy. 

As the Chairman noted, privacy is one of the hallmarks of our 
country — cherished, protected, defended throughout our history. 
Since September 11, 2001, the debate has changed somewhat as 
the commitment to privacy has often been spoken in the context of 
national security and the need for combating terrorism. But pro- 
tecting our privacy and protecting our Nation are not mutually ex- 
clusive goals, and our challenge is to protect and defend our coun- 
try in a way that promotes our core values. 

Now, I belabor this point because in the 2 years since I appeared 
before this Committee, the concern for privacy and what many 
Americans believe to be invasions of their privacy by the Govern- 
ment has increased rather than decreased. More articles about pri- 
vacy policies and practices appear more frequently in the press. 
There are more stories on radio and television, and there is signifi- 
cantly more attention paid to privacy on the Internet than ever be- 
fore. The time devoted over the last several weeks or months in 
public discourse to the warrantless wiretaps by the National Secu- 
rity Agency and the decision of some common carriers to release to 
the Government information about calls made by millions of Ameri- 
cans is a clear indication of Americans’ commitment to and concern 
about privacy. 

Given the importance of privacy and its persistence in the na- 
tional debate, it’s somewhat surprising that this Administration 
has seemed so reluctant to take even minimal steps to address 
these concerns. For example, one of the subjects of today’s hearing 
is the Privacy Officer at DHS. When I last testified, I spoke in 
highly favorable terms of the appointment of Ms. Kelly as the first 
statutorily required privacy official at DHS. I stressed both the 
beneficial attention that was being paid to privacy concerns and 
the fact that having a privacy officer at DHS in no way diminished 
the capacity of the Department to pursue its mission. 

Ms. Kelly resigned from DHS last September, and with respect 
to Ms. Cooney, we have in place an Acting Privacy Officer. The job 
is hard enough. To be heard in policy decision meetings, to be lis- 
tened to when red flags are raised about a proposal’s privacy impli- 
cations, to be supported when a hand goes up and says, “Maybe we 
should reconsider, maybe we should do it differently,” that job is 
not easy even for a tenured employee. It is so much harder for an 
acting. 

There may well be legitimate reasons that there has been a delay 
in finding and installing Ms. Kelly’s replacement, but the unex- 
pected and unexplained delay raises unfortunate questions. Is it a 
lack of interest? Is it a lack of support by the Secretary of DHS or 
by the White House? 



26 


In the same vein, I would mention that it has taken a very long 
time for the White House to nominate and have the Senate confirm 
the members of the Privacy and Civil Liberties Board which Ms. 
Horvath spoke about. That, too, was set up by an Act of Congress 
which was responding to legitimate questions and concerns about 
Government policies. 

In light of these examples, I would call for more oversight by 
Congress and, equally more important, more legislation concerning 
and empowering officials in the Government. In my written testi- 
mony, I remind the Committee that I had urged that there be stat- 
utory privacy officers at all major departments. I am pleased that 
the Department of Justice now has one. I hope that you will work 
with other Members of Congress and other Committees to expand 
that base. And without being too pushy, I would again renew my 
suggestion that the Committee support establishing at 0MB a stat- 
utory office headed by a Chief Counselor for Privacy. Such an office 
was created and staffed during the Clinton administration, and it 
served us well. The current Administration chose not to fill that po- 
sition when they took office or since. As a result, there is no senior 
official in the Executive Office of the President who has privacy in 
his or her title or who is charged with oversight of Federal privacy 
policies. Yet it’s so much better to have privacy considered at the 
outset rather than after the plans are implemented and the stories 
appear on the front pages. 

My time is running. I have comments about the markup. Other- 
wise, I think it’s a great bill in many respects. I support the con- 
cept. And maybe during the questions and answers I could speak 
to that. 

I want to thank you again for asking me to participate. 

[The prepared statement of Ms. Katzen follows:] 

Prepared Statement of Sally Katzen 

Mr. Chairman and other Members of the Committee. Thank you for inviting me 
to testify today on a subject — “Privacy in the Hands of the Government” — that is 
exceedingly important to the American public and on which this Committee has 
commendably been actively engaged. 

This hearing is a follow on to one at which I testified on February 10, 2004. With 
the permission of the Committee, I would request that the written testimony that 
I prepared then be appended to my submission for this hearing; much of the back- 
ground and analysis presented in that document remain pertinent today and incor- 
porating it by reference will enable me to better focus on more recent developments. 

I have been involved in privacy policy and practices for well over a decade, having 
served as the Administrator of the Office of Information and Regulatory Affairs 
(OIRA) in the Office of Management and Budget (0MB) from 1993 to 1998 and as 
the Chair of the Information Policy Committee of the National Information Infra- 
structure Task Force, which produced, among other things, a revision of the 1973 
Code of Fair Information Practices, entitled “Principles for Providing and Using Per- 
sonal Information.” During my later tenure as Deputy Director of the National Eco- 
nomic Council and then as Deputy Director for Management at 0MB, I was in- 
volved in a series of privacy issues, any my interest in the subject has continued 
during my years in academics. 

My earlier testimony spoke to the importance of privacy in our history and cul- 
ture, and why I believe that privacy is one of the hallmarks of America — cherished, 
protected and defended throughout our country and throughout the years. 

The arrival of the Information Age raised privacy concerns to a new level, al- 
though after September 11, 2001, this was tempered by a clear recognition of the 
importance of security and the need for combating terrorism. But protecting our pri- 
vacy and protecting our nation are not mutually exclusive goals. Rather, the chal- 
lenge for all of us is to protect and defend our country in a way that preserves and 
promotes our core values. 



27 


I belabor this point because in the two years since I appeared before this Com- 
mittee, the concern for privacy (and what many Americans believe to be invasions 
of their privacy) has increased rather than decreased. More articles about privacy 
policies and practices appear more frequently in the press, there are more stories 
on the radio and television, and there is significantly more attention paid to privacy 
on the Internet than ever before. The time devoted over the last several weeks/ 
months in public discourse to the warrantless wiretaps by the National Security 
Agency and the decision of some common carriers to release to the government in- 
formation about calls made by millions of Americans is a clear indication of Ameri- 
cans’ continued commitment to, and concern about, privacy. 

Given the importance of privacy and its persistence in the national debate, it is 
somewhat surprising that this Administration has seemed to be so reluctant to take 
even minimal steps to address these concerns. For example, when I last testified, 
I spoke of the generally highly favorable reactions to the tenure of Nuala O’Connor 
Kelly as the first statutorily required privacy official at the Department of Home- 
land Security (DHS). I stressed both the beneficial attention that was paid to pri- 
vacy concerns and the fact that having a privacy officer at DHS in no way dimin- 
ished the capacity of the Department to pursue its mission. Ms. Kelly resigned from 
DHS many months ago, and regrettably there is only an Acting privacy officer in 
place. Is it a lack of interest or a lack of support for the position by the current 
Secretary of DHS? Or by the White House? There may well be legitimate problems 
in finding and installing Ms. Kelly’s replacement, but the unexplained delay sends 
a very bad signal to those who follow these developments as an indication of the 
Administration’s commitment to privacy. In that same vein, it is worth noting that 
it took the longest time for the White House to nominate and have the Senate con- 
firm the members of the Privacy and Civil Liberties Board, which is a committee 
established by another act of Congress designed to respond to what were perceived 
as legitimate questions and concerns about government policies with respect to pri- 
vacy. 

In light of these examples, I would call for more oversight by the Congress and, 
equally important, more legislation creating and empowering officials in the govern- 
ment with responsibility for privacy policy. I had urged in my earlier testimony that 
the Committee consider expanding the number of statutory privacy offices from one 
to 24, covering all major Departments (the so-called Chief Financial Officers Act 
agencies) or at least a handful of critical agencies, including the Department of Jus- 
tice, the Department of the Treasury (and the Internal Revenue Service), the De- 
partment of Defense and the Veterans Administration, the Social Security Adminis- 
tration, and the Department of Health and Human Services. I was pleased when 
Congress enacted legislation establishing a privacy officer at the Department of Jus- 
tice. With respect, I would again urge this Committee to work with others in the 
Congress to expand on this base. 0MB guidance from two administrations (issued 
first during the Clinton Administration and repeated several years ago by the Bush 
Administration) has called for the creation of such offices in Executive Branch agen- 
cies. The imprimatur of Congress would enhance the influence and respect that 
these officers have within their Departments. Equally important, by establishing 
statutory privacy offices, the Congress would be able to engage in systematic over- 
sight of the attention paid to this important value in the federal government. 

I would also renew my suggestion that Congress establish at 0MB a statutory of- 
fice headed by a Chief Counselor for Privacy. Such an office was created and staffed 
during the Clinton Administration, and it served us well. The current Administra- 
tion chose not to fill the position when they took office or since. As a result, there 
is no senior official in the Executive Office of the President who has “privacy” in 
his/her title or who is charged with oversight of federal privacy practices, monitoring 
of interagency processes where privacy is implicated, or developing national privacy 
polices. Yet it is so much better to have privacy implications considered before- 
hand — in the formulation of program or projects — rather than after the plans are 
implemented and the stories about them begin to appear on the front pages of the 
national newspapers. And apart from damage control, having someone on the “in- 
side” addressing these issues may provide some brakes on the runaway train of sur- 
veillance. 

Finally, I understand that after this hearing, the Committee will move to mark 
up H.R. 2840, the “Federal Agency Protection of Privacy Act of 2005.” That bill re- 
flects a commendable desire to ensure that privacy impact statements are prepared 
by federal agencies as they develop regulations that involve the collection of per- 
sonal information. Several thoughts occurred to me as I was rereading the text for 
today’s hearing. 

First, Subsection (c) provides that an agency head may waive the requirements 
for a privacy impact statement “for national security reasons, or to protect from dis- 



28 


closure classified information, confidential commercial information, or information 
the disclosure of which may adversely affect a law enforcement effort . . Apart 
from the fact that the basis for a waiver goes well beyond national security, I re- 
called that there is a similar provision in the E-Government Act of 2002, which re- 
quires a privacy impact assessment for new federal government computer systems, 
but instead of giving an essentially free pass for national security concerns. Section 
208 (b) (1) (D) of that Act requires the agency to provide the privacy impact assess- 
ment to the Director of 0MB. I would recommend that such a provision be included 
in H.R. 2840 and, in addition, that the bill provide that a copy of the analysis be 
sent to the Congressional Intelligence Committees in the case of national security 
waivers and the Congressional Judiciary Committees in the case of law enforcement 
related waivers. In that way, there could be government-wide Executive Branch 
oversight and, equally important. Congressional oversight over agency decision-mak- 
ing in this area. 

Second, the provisions of H.R. 2840 requiring an agency to prepare a plan for, and 
carry out, a periodic review of existing regulations that have a significant privacy 
impact on individuals or a privacy impact on a significant number of individuals are 
quire detailed and quite prescriptive. Rather than specif 3 dng all of the factors to be 
considered, and the timetable and procedures for each element of the review, it 
might be preferable to set forth un the bill the objectives of a periodic review and 
task 0MB with providing guidance for the agencies as to how they should proceed. 
In this way, the terms are not cast in concrete but can be more readily adjusted 
as changes occur, either with respect to content or with respect to technology. 

With those modest suggestions, I would endorse the bill and once again commend 
this Committee for its effective and persistent leadership on these very important 
issues. 

Again, thank you for inviting me to testify today. I would be pleased to elaborate 
on these comments or answer any questions that you may have. 


ATTACHMENT 

Prepared Statement of Sally Katzen before the Committee on the Judiciary, 
Subcommittee on Commercial and Administrative Law, on Eebruary 10, 
2004 ON “Privacy in the Hands of the Government: The Privacy Officer for 
THE Department of Homeland Security” 

Thank you for inviting me to testify today on a vitally important subject — “Pri- 
vacy in the Hands of the Government.” This Committee is to be congratulated, not 
only for its leadership in creating a statutory Privacy Officer in the Department of 
Homeland Security (DHS), but also for being vigilant in its oversight of that office. 

I am currently a Visiting Professor at the University of Michigan Law School, 
where one of my courses is a seminar on “Technology Policy in the Information 
Age” — a significant portion of which is devoted to examining both the government 
and the private sector’s privacy policies and practices. I have been involved in pri- 
vacy policy for over a decade. In early 1993, I began serving as the Administrator 
of the Office of Information and Regulatory Affairs (OIRA) in the Office of Manage- 
ment and Budget (0MB); the “I” in OIRA signaled that I was, in effect, the chief 
information policy official for the federal government. Among other responsibilities, 
my office was charged with developing federal privacy policies, including implemen- 
tation of the 1974 Privacy Act. Later in 1993, 1 was asked to chair the Information 
Policy Committee of the National Information Infrastructure Task Force, which had 
been convened by the Vice President and chaired by then Secretary of Commerce 
Ronald Brown. One of the first deliverables we produced was from my committee’s 
Privacy Working Group — a revision of the 1973 Code of Fair Information Practices, 
entitled “Principles for Providing and Using Personal Information.” During Presi- 
dent Clinton’s second term, I worked with the Vice President’s Domestic Policy Ad- 
visor to create a highly visible and effective office for privacy advocacy in CMB; we 
selected Peter Swire to head that office and be the first Chief Counselor for Privacy, 
and I worked closely with him when I served as Deputy Director for Management 
at CMB during the last two years of the Clinton Administration. Since leaving gov- 
ernment, I have, as indicated earlier, been teaching both at the graduate and under- 
graduate level. 

Given the Committee’s extensive work in this area, it is not necessary to speak 
at length on the importance of privacy in the history and culture of our country. 
Nonetheless, to provide context for the comments that follow, I want to be clear 
that, from my perspective, privacy is one of the core values of what we are as Amer- 
icans. Whether you trace its roots from the first settlers and the “frontier” mentality 



29 


of the early pioneers, or from the legal doctrines that flowed from Justice Brandeis’ 
oft-quoted recognition in the late 19th century of “the right to be let alone,” privacy 
has been one of the hallmarks of America — cherished, prized, protected and de- 
fended throughout our country and throughout our history. 

The “Information Age” has brought new opportunities to benefit from the free flow 
of information, but at the same time it has also raised privacy concerns to a new 
level. Computers and networks can assemble, organize and analyze data from dis- 
parate sources at a speed (and with an accuracy) that was unimaginable only a few 
decades ago. And as the capacity — of both the government and the private sector — 
to obtain and mine data has increased, Americans have felt more threatened — in- 
deed, alarmed — at the potential for invasion (and exploitation) of their privacy. 

Before September 11, 2001, privacy concerns polled off the charts. Since then, 
there has been a recognition of the importance of security and the need for com- 
bating terrorism. But, as the Pew Internet surveys (and others) have found, Ameri- 
cans’ commitment to privacy has not diminished, and some would argue (with much 
force) that if, in protecting our nation, we are not able to preserve a free and open 
society for our public lives, with commensurate respect for the privacy of our private 
lives, then the terrorists will have won. For that reason, it was both necessary and 
desirable in creating a Department of Homeland Security to statutorily require the 
Secretary to appoint a senior official with primary responsibility for privacy policy. 
Ms. Kelly was selected for that position and took office about six months ago. 

We thus have some — albeit limited — operational experience with the statutory 
scheme, and it is therefore timely to see what we have learned and what more could 
(and should) be done by this Committee to be responsive to privacy concerns. 

I would draw two lessons from Ms. Kelly’s tenure to date at DHS. 

First, the existence of a Privacy Officer at DHS, especially someone who comes 
to the position with extensive knowledge of the issues and practical experience with 
the federal government, is highly beneficial. We know that some attention is now 
being paid to privacy concerns and that steps are being taken to advance this impor- 
tant value that might otherwise not have occurred. 

Consider the CAPPS II project, in which Ms. Kelly has recently been involved. 
She inherited a Privacy Act Notice issued last winter that was dreadful. She pro- 
duced a Second Privacy Act Notice that reflected much more careful thought about 
citizens’ rights and provided more transparency about the process. Regrettably, 
there was some backsliding: the initial concept was that the information would be 
used only to combat terrorism, whereas the second Notice indicated that the infor- 
mation would be used not only for terrorism but also for any violation of criminal 
or immigration law. Also, the document was vague (at best) on an individual’s abil- 
ity to access the data and to have corrections made. And there was more that should 
have been said about the manner in which the information is processed through the 
various data bases. But there is no question that the Second Notice was greatly im- 
proved from the first. 

Ms. Kelly was also involved with the US VISIT program, where she produced a 
Privacy Impact Analysis (PIA). Some had argued that a PIA was not required be- 
cause the program did not directly affect American citizens or permanent residents. 
Nonetheless, to her credit, she prepared and issued a PIA that was quite thoughtful 
and was well received. Whether one agrees or disagrees with the underlying pro- 
gram, at least we know that someone was engaged in the issues that deserve atten- 
tion and the product of that effort was released to the public. 

As someone outside the government, it is hard to know how influential Ms. Kelly 
will be if — and it inevitably will happen — there is a direct conflict between what a 
program office within DHS wants to do and what the Privacy Officer would counsel 
against for privacy reasons. Effectiveness in this type of position depends on auton- 
omy and authority — that is, on the aggressiveness of the office holder to call atten- 
tion to potential problems and on support from the top. We may take some comfort 
from Secretary Ridge’s comments; he has said all the right things about supporting 
the Privacy Officer. But we cannot now know what will happen when the “rubber 
meets the road.” 

This Committee, however, can further empower the Privacy Officer, and lay the 
foundation for remedying any problems that may arise, by maintaining its oversight 
and inquiring pointedly into how the Department operates. For example, Ms. Kelly 
(and Secretary Ridge) should be asked at what stage she is alerted to or brought 
into new initiatives; what avenues are open for her to raise any questions or con- 
cerns; and whether the Secretary will be personally involved in resolving any dis- 
pute in which she is involved. The timing of the release of the PIA for the US VISIT 
program suggests that Ms. Kelly may not always be consulted on a timely basis. 
As I read the E-Government Act of 2002, an agency is to issue a PIA before it devel- 
ops or procures information technology that collects, maintains or disseminates in- 



30 


formation that is in an identifiable form. In this instance, the PIA was released 
much further down the road, when the program was about to go on line. Anything 
that helps the Privacy Officer become involved in new initiatives at the outset, be- 
fore there is substantial staff (let alone money) invested in a project, would be high- 
ly salutary. 

The second lesson that I take from the experience to date with the Privacy Officer 
at DHS is that there has been no diminution in the capacity of the Department to 
pursue its mission. Or as a political wag would say, the existence of a Privacy Offi- 
cer in DHS has not caused the collapse of western civilization as we know it. This 
is wholly consistent with what most Americans think — that national security and 
privacy are compatible and are not intrinsically mutually exclusive. 

The fact that there is no evidence that the existence, or any activity, of the Pri- 
vacy Officer has caused DHS to falter leads me to suggest that the Committee con- 
sider expanding the number of statutory privacy offices from one to 24, covering all 
major Departments (the so-called Chief Financial Officers Act agencies) or at least 
a handful of critical agencies. Imagine the salutary effect that a statutory privacy 
office could have at the Department of Justice, the Department of the Treasury (and 
the Internal Revenue Service), the Department of Defense and the Veterans Admin- 
istration, the Social Security Administration, and the Department of Health and 
Human Services. All of these agencies already have some form of privacy office in 
place, although many simply process Privacy Act complaints, requests, notices, etc. 
and do not involve themselves in the privacy implications of activities undertaken 
by their agencies. It is significant, I believe, that 0MB guidance from two adminis- 
trations (issued first during the Clinton Administration and repeated recently by the 
Bush Administration) has called for the creation of such offices in Executive Branch 
agencies. With the imprimatur of Congress, these offices can achieve the status (and 
increased influence) and gain the respect that the Privacy Officer has enjoyed at 
DHS. Equally important, by establishing statutory privacy offices, the Congress will 
be able to engage in systematic oversight of the attention paid to this important 
value in the federal government — something which has not occurred before this 
hearing today. 

I hope I do not seem presumptuous to suggest — indeed, strongly urge — one further 
step: establishing at 0MB a statutory office headed by a Chief Counselor for Pri- 
vacy. As noted above, we had created such a position during the Clinton Adminis- 
tration, and it served us well. Peter Swire, the person we selected to head that of- 
fice, was able to bring his knowledge, insights, and sensitivity to privacy concerns 
to a wide range of subjects. In his two years as Chief Counselor, he worked on a 
number of difficult issues, including privacy policies (and the role of cookies) on gov- 
ernment websites, encryption, medical records privacy regulations, use and abuse of 
social security numbers, and genetic discrimination in federal hiring and promotion 
decisions, to name just some of the subjects that came from various federal agencies. 
He was also instrumental in helping us formulate national privacy policies that 
arose in connection with such matters as the financial modernization bill, proposed 
legislation to regulate internet privacy, and the European Union’s Data Protection 
Directive. 

I believe it is unfortunate that the current Administration has chosen not to fill 
that position. As a result, there is no senior official in the Executive Office of the 
President who has “privacy” in his/her title or who is charged with oversight of fed- 
eral privacy practices, monitoring of interagency processes where privacy is impli- 
cated, or developing national privacy polices. Perhaps it was the absence of such a 
person that led to the Bush Administration’s initial lack of support for the designa- 
tion of a Privacy Officer at the Department of Homeland Security. Perhaps if some- 
one had been appointed to that position, the Administration would not have ap- 
peared to be so tone deaf to privacy concerns in connection with the Patriot Act or 
any number of law enforcement issues that have made headlines over the past sev- 
eral years. An “insider” can provide both institutional memory and sensitivity to 
counterbalance the unfortunate tendency of some within the government to surveil 
first and think later. At the least, the appointment of a highly qualified privacy 
guru at 0MB would mean that someone in a senior position, with visibility, would 
be thinking about these issues before — rather than after — policies are announced. 

Finally, I understand that after this Hearing, the Committee will move to mark 
up H.R. 338, “The Defense of Privacy Act.” That bill reflects a commendable desire 
to ensure that privacy impact statements are prepared by federal agencies as they 
develop regulations which may have a significant privacy impact on an individual 
or have a privacy impact on a substantial number of individuals. I was struck in 
reviewing the E-Government Act of 2002 for this testimony that it requires an agen- 
cy to prepare a PIA not only before it develops or procures information technology 
that implicates privacy concerns, but also before the agency initiates a new collec- 



31 


tion of information that will use information technology to collect, maintain or dis- 
seminate any information in an identifiahle form. This law has gone into effect, 
0MB has already issued guidance on how to prepare the requisite PIAs, and the 
agencies are learning how to prepare these PIAs using that model. Rather than im- 
pose another regime on agencies when they are developing regulations (which are 
frequently the basis for the information collection requests referenced in the E-Gov- 
ernment Act of 2002), it might be preferable to amend the E-Government Act to ex- 
pand its requirements to apply to regulations that implicate privacy concerns. That 
approach would have the added benefit of eliminating the inevitable debate over the 
judicial review provisions of H.R. 338, which go significantly beyond the judicial re- 
view provisions of any of the comparable acts (e.g., Reg.Flex., NEPA, Unfunded 
Mandates, etc.). Lastly, if you were to amend the E-Government Act to include pri- 
vacy-related regulations, you might also consider including privacy-related legisla- 
tive proposals from the Administration. As you know, Executive Branch proposals 
for legislation are reviewed by 0MB before they are submitted to the Congress. If 
there were a Chief Counselor for Privacy at 0MB, s/he would be able to provide 
input for the benefit of the Administration, the Congress and the American people. 

Again, thank you for inviting me to testify today. This Committee has been an 
effective leader on privacy issues, and it is encouraging that you are continuing the 
effort. I would be pleased to elaborate on these comments or answer any questions 
that you may have. 

Mr. Cannon. Thank you, Professor. 

Ms. Koontz? 

TESTIMONY OF LINDA KOONTZ, DIRECTOR, INFORMATION 

MANAGEMENT ISSUES, U.S. GOVERNMENT ACCOUNTABILITY 

OFFICE, WASHINGTON, DC 

Ms. Koontz. Mr. Chairman and Members of the Subcommittee, 
I appreciate the opportunity to be here today to discuss key chal- 
lenges facing Federal privacy officers. As you know, advances in in- 
formation technology make it easier than ever for the Federal Gov- 
ernment to acquire data on individuals, analyze it for a variety of 
purposes, and share it with other governmental and nongovern- 
mental entities. Further, the demands of the war on terror put ad- 
ditional pressure on agencies to extract as much value as possible 
from the information available to them, adding to the potential for 
compromising privacy. 

This is the context in which agencies must carry out their critical 
responsibilities for protecting the privacy rights of individuals in 
accordance with current law. To do so, many agencies have des- 
ignated privacy officers to act as focal points. Recently, these posi- 
tions have gained greater prominence. In response to rising con- 
cerns about privacy rights in our electronic age, both legislation 
and guidance have directed agencies to establish chief privacy offi- 
cers or to ensure that a senior official takes overall responsibility 
for information privacy. 

Privacy issues have also been at the heart of several studies that 
the Congress has asked us to perform over the past few years. Our 
results highlight some of the challenges faced by agencies and pri- 
vacy officials. 

First, compliance with current law has posed challenges. In 2003, 
we reported that agency compliance with the requirements of the 
Privacy Act was uneven. Agencies reviewed generally did well with 
certain aspects of the requirements, such as issuing public notices 
about systems containing personal information. However, they did 
less well at others, such as ensuring that information was com- 
plete, accurate, relevant, and timely before it was disclosed to a 
non-Federal organization. 



32 


Agency officials told us that they needed more leadership and 
guidance from the Office of Management and Budget to help them 
with implementation in a rapidly changing environment. Similarly, 
agencies have not always complied with the E-Government Act re- 
quirement that agencies perform privacy impact assessments, or 
PIAs, on certain systems containing personal information. Such as- 
sessments are important to ensure that information is handled in 
a way that protects privacy. 

Although we have not yet done a comprehensive assessment of 
agencies’ implementation of PIAs, we did determine in recent work 
on commercial data resellers that many agencies did not perform 
PIAs on systems that used reseller information because they be- 
lieve that a PIA was not required. 

Privacy officers also face the challenge of ensuring that privacy 
protections are not compromised by advances in technology. For ex- 
ample, Federal agencies are increasingly using data mining, that 
is, analyzing large amounts of data to uncover hidden patterns. Ini- 
tially, this tool was used mostly to detect financial fraud and 
abuse, but its use has expanded to include purposes such as detect- 
ing terrorist threats. 

In 2005, in a review of five different data-mining efforts at se- 
lected agencies, we reported that these agencies did take many of 
the steps needed to protect privacy. However, none followed all key 
procedures. For instance, although they did issue public notices, 
these notices did not always describe the intended uses of personal 
information as required. 

Another new technology presenting privacy challenges is radio 
frequency identification, or RFID. This technology uses wireless 
communications to transmit data and electronically track and store 
information on tags attached to or embedded in objects. As we re- 
ported in 2005, Federal agencies use or propose to use RFID for 
physical access controls and to track access. For example, DOD 
uses it to track shipments. Although this kind of inventory control 
application is not likely to generate privacy concerns, RFID use 
could raise issues if, for example, people were not aware that the 
technology is being used and that it could be embedded in items 
they are carrying and be used to track them. 

Agency privacy offices will play a key role in addressing the chal- 
lenges I have described. They will be instrumental in ensuring that 
agencies comply with legislative requirements and in ensuring that 
privacy is fully addressed in agency approaches to new tech- 
nologies. In addition, chief privacy officers are in a position to work 
with 0MB and other agencies to identify ambiguities and clarify 
the applicability of privacy requirements. Not least, they can work 
to increase agency awareness and raise the priority of privacy 
issues. 

That concludes my statement. I would be happy to answer ques- 
tions at the appropriate time. 

[The prepared statement of Ms. Koontz follows:] 



33 


Prepahed Statement of Linda D. Koontz 


United States Govenunent Accountability Office 


GAO 

Testimony 

Before the Subcommittee on Commercial and 
Administrative Law, Committee on the 
Judiciary, House of Representatives 

For Release on Rolivory 
Exi)e(U,e(l al. 2 p.m. ET)T 
Wednesday, May 17, 2006 

PRIVACY 


Key Challenges Facing 
Federal Agencies 


Statement of Linda D. Koontz 

Director, Information Management Issues 


i 

M G A 0 

- 

Integrity* Ruiiabiilty 


GAO-06-777T 



34 


GAO 


^ VJ A W 

AccountamilylnteatllvRellamtY 

Highlights 


Highlights of GAO-06-777T, a testimony 
before the Subcommittee on Commercial 
and Administrative Law, Committee on the 
Judiciary, House of Representatives 


Why GAO Did This Study 

Advances in inl'orination 
technology make it easier than ever 
for the federal government to 
obtain and process personal 
information about citizens and 
residents in many ways and for 
many purjtoses. To ensure lliat the 
privacy rights of individuals are 
respected, this information must be 
properly protected in acrtrordaiure 
witli current law, particularly the 
Privacy A<;t and the E-Govenunent 
Ac:t of 2002. 'Hiese laws prescribe 
specific activities that agencies 
must perform to protect privacy, 
and the Office of Management and 
Budget (OMB) has developed 
guidance on how and in what 
circumstances agem-ies are to 
cany out these activities. 

Many agencies designate officials 
as focal points for |)rivacy-related 
matters, and incTeasingly, many 
have created senior positions, stich 
as chief privacy officer, to assume 
primary responsibility for privacy 
policy, as well as dedi<;ated privacy 
offices. 

GAO was asked to testify on key 
challenges facing agency privacy 
officers. To address this issue, (JAO 
identified and summarized issues 
raised in its previous reports on 
privacy. 


What GAO Recommends 


Because GAO has already made 
privacy-related recommendations 
in the earlier reports described 
here, it is making no further 
recommendations at this time. 


vicww.gao.gov/cgl-bin/getrpt?GAO-06-777T. 

To view the full product. Including the scope 
and methodology, click on the link above. 

For more information, contact Linda Koontz at 
(202) 512-6240 or koontzl@gao.gov. 


PRIVACY 

Key Challenges Facing Federal Agencies 


What GAO Found 

Agencies and their privacy officers face growing demands in addressing 
privacy cliailenges. For example, as GAO reported in 2003, agency 
compliance with Privacy Act requirements was uneven, owing to ambiguities 
in guidance, lack of awareness, and lack of priority. Wliile agencies generally 
did well with certain aspects of the Privacy Act’s requirements — such as 
issuing notices concerning certain systems containing collections of 
personal infonnatlon — they did less well at others, such as ensuring that 
information is complete, accurate, relevant, and timely before it is disclosed 
to a nonfederal organization. In addition, the E-Gov Act requires that 
agencies perform privacy impact assessments (PIA) on such information 
colloctiojis. Such assessments are important to ensure, among other things, 
tlial information is liandled in a way that conforms to privacy requirements. 
However, in work on commercial data resellers, GAO determined in 2()()() 
tliat many ageiudes <lid not perform IMAs on systems that iis('d reseller 
information, believing that these were not required. In addition, in public 
notices on tliese systems, agencies did not always reveal that information 
resellers were among (lie sources to be used. To address sucli challenges, 
chief privacy officers can work with officials from OMB and other agencies 
to identify ambiguities and provide clarifications about (lie apiilicability of 
privacy provisions, such as in situations involving the use of reseller 
information. In addition, as senior officials, they can increase agency 
awareness and raise the priority of privacy issues. 

Agetu'ies and privacy officers will also face the challenge of ensuring that 
privacy protectioas are not compromised by advances in technology. P’or 
example, federal agency iLse of data mining — the analysis of large amounts 
of data to uncover hidden patterns and relationships — was initially aimed at 
detecting financial fraud and abuse. Increasingly, however, the iLse of this 
tool has expanded to include purposes such as detecting terrorist threats. 
GAO found in 2005 tliat agencies employing data mining took many steps 
needed to protect privacy (such as issuing public notices), but none followed 
all key procedures (such as including in tliese notices the intended uses of 
personal information). Another new technology development presenting 
privacy challenges is radio frequency identification (RF"!!)), wliich uses 
wireless communication to transmit data and thus electronically identify, 
track, and store information on tags attached to or embedded in objects. 
GAO reported in 2005 that federal agencies use or propose to use the 
technology for physical access controls and trac^king assets, documents, or 
materials. For example, the Department of Defense was using RFID to track 
shipments. Although such applications are not likely to generate privacy 
concerns, others could, such as the use of RFIDs by the federal government 
to track the movement of individuals traveling within the United States. 
Agency privacy offices can serve as a key mechanism for ensuring that 
privacy is fully addressed in ^ency approaches to new technologies such as 
data mining and RFID. 


.United States Government Accountability Office 


35 


Mr. Chairman and Members of the Subcommittee: 

I appreciate the opportunity to be here today to discuss key 
challenges facing federal agency privacy officers. As the federal 
government obtains and processes personal information* about 
citizens mid residents in increasingly diverse ways and for 
increasingly sopliisticated purposes, it remains critically important 
that this information be properly protected and the privacy rights of 
individuals respected. Advances in information technology make it 
easier than ever for agencies to acquire data on indi\dduals, analyze 
it for a variety of purposes, and share it with other governmental 
and nongovernmental entities. Further, the demands of the war on 
terror put additional pressure on agencies to extract as much value 
as possible from the information available to them, adding to the 
potential for compromising privacy. It is in this context that agency 
privacy officers must continually strive to ensure tliat the privacy 
rights of individuals remain adequately respected. 

As requested, my statement will focus on key privacy challenges 
facing agency privacy officers, including those at the Departments 
of Homeland Seciurity (DHS) and Justice. After a brief summary and 
discussion of the federal laws and guidance that apply to agency use 
of personal information, I will discuss the evolution of the role of 
privacy officials in federal agencies and then highlight key issues 
they are ciurently facing. 

To address key challenges faced by privacy officers, we identified 
and summarized issues raised in our previous reports on privacy, 
including our recent work regarding the federal government’s use of 
personal information from companies known as information 
resellers."* We conducted the work for these reports in accordance 


* Kor putposes of this tesHnwny, the temi personnl infm'mnfion eI1(’OIrlp.^sses a.I I 
inronri»liori wilh an iiidivkliiaJ, iiicliKiing lK)lii idenli Tying anil nonidcnii Tying 

information. PemonaUy identijifi.ng inf onn/ition, wliieh can be used to loo.ite or identify 
an individual, includes siK^h things as riantrs, aliasc's, and agnicy-assigni'il casi' ii umbers. 
Nvnidenlify'iitif personal infomtalion includes such tilings <is age, eiliiciilioii, fiiumees, 
ciinnnal history, physical attiibiites, and gender. 

■ GAO, Personal Injbrmulioii: Agency and Reseller AdluTrf.mce to Key Privacy Priticrpies, 
C.A06&-i2l, (Washington; D.C.: Apr. 1, 2006)- 




GAO-O(i-777T 



36 


with generally accepted government auditing standards. To provide 
additional information on our previous privacy-related work, I have 
included, as an attachment, a list of pertinent GAO publications. 


Results in Brief 


Many agencies have designated officials as focal points for privacy- 
related matters, including, in some agencies, chief privacy officers. 
Recently, however, these positions have gained greater prominence, 
as legislation and guidance have directed agencies to establish chief 
privacy officers or to designate a senior official with overall 
agencywide responsibility for information privacy issues. 

Tiie elevation of privacy officers to senior positions reflects the 
growing demands that these individuals face in addressing privacy 
challenges on a day-to-day basis. These challenges include the 
following: 

• Complying with the Privacy Act and the E-Govemment Act of 2002. 
These laws prescribe specific activities that agencies must perfonn 
to protect privacy, such as such as issuing notices concerning 
certain systems containing collections of personal information and 
performing privacy impact assessments. Agency compliance with 
these requirements has been uneven in the past, owing to 
ambiguities in guidance, lack of awareness, and lack of priority. 

• Ensuring that data mining efforts do not compromise privacy 
protections. Increased use by federal agencies of data mining — the 
analysis of large amounts of data to uncover hidden patterns and 
relationsliips — ^has been accompanied by uncertainty regarding 
privacy requirements and oversight of such systems. As we reported 
in previous work, the result was that although agencies employing 
data mining took many steps needed to protect privacy (such as 
issuing public notices), none followed all key procedures (such as 
including in these notices the intended uses of personal 
information). 

• Controlling the collection and use of personal information obtained 
from commercial sources — “information resellers.” A major task 
confronting federal agencies, especially those engaged in 
antiterrorism tasks, is to ensiue that information obtained from 


Page 2 


GAO-O(i-777T 




37 


reseUers is being appropriately used and protected. In previous 
work, we reported that agencies were uncertain about the 
applicability of privacy requirements to this information, which led 
to inconsistencies in how it was treated. 

• Addressing concerns about radio frequency identification 
technology. This technology uses wireless communication to 
transnut data and thus electronically identify, track, and store 
information on tags attached to or embedded in objects. In previous 
work, we reported that although common applications of this 
technology (such as inventory control) are not likely to generate 
privacy concerns, otlxers could, such as its potential use to track the 
movement of individuals traveling within the United States. 

We have made recommendations previously to 0MB and agencies to 
ensure they are adequately addressing privacy issues. As agencies 
take action, their privacy offices can serve as key mechanisms for 
ensuring that privacy is fully addressed in agency approaches to 
collecting, storing, and using personal information, including in new 
techniques and technologies, such as data mining and others. 


Background; Federal Laws and Guidance Govern Use of Personal 
Information in Federal Agencies 

A core function of priv'acy officers is to ensure that their agencies 
are in compliance with federal laws. The major requirements for the 
protec-tion of personal privacy by federal agencies come from two 
laws, the Privacy Act of 1974 and the E-Govenunent Act of 2002. 

The Federal Information Security Management Act of 2002 (FISMA) 
also addresses the protection of personsil information in the context 
of seciiring federal agency information and information systems. 

The Privacy Act places limitations on agencies’ collection, 
disclosure, 2 md use of personal infonnation maintained in systems 
of records. The act describes a “record” as any item, collection, or 
grouping of infonnation about ai» individual that is maintained by an 
agency and contains his or her name or another personal identifier. 
It also defines “sj^stem of records” as a group of records under the 
control of any agency from which infonnation is retrieved by the 


Page -3 


GAO-O(i-777T 




38 


name of the individual or by an individual identifier. The Privacy Act 
requires that when agencies establish or make changes to a system 
of records, they must notify the public by a “system-of-records 
notice”: that is, a notice in the Federal Regis/er identifying, among 
other things, tlie type of data collected, the types of individuals 
about whom information is collected, the intended “routine” uses of 
data, and procedures that individuals can use to re\aew and correct 
personal information.'' Among other pro\dsions, the act also requires 
agencies to define and limit themselves to specific predefined 
piuposes. For example, the act requires that to the greatest extent 
practicable, personal information should be collected directly from 
the subject individual when it may affect an individual's rights or 
benefits under a federal program. 

The provisions of the Privacy Act are largely based on a set of 
principles for protecting the privacy and security of personal 
information, known as the Fair Information Practices, which were 
first proposed in 1973 by a II.S. government advisory committee; ' 
these principles were intended to address what the committee 
termed a poor level of protection afforded to privacy under 
contemporaiy law. Since that time, the Fair Information Practices 
have been widely adopted as a standard benchmark for evaluating 
the adequacy of privacy protectioi^. Attachment 2 contains a 
summary of the widely used version of the Fair Infonnation 
Practices adopted by the Organization for Economic Cooperation 
and Development in 1980. 

The E-Govemment Act of 2002 strives to enhance protection for 
personal infonnation in government information systems or 
infonnation collections by requiring that agencies conduct privacy 
impact assessments (PIA). A PIA is an analysis of how personal 
information is collected, stored, shared, and managed in a federal 


l, iKirr l.ho Privacy Acl.of lf)74, l.hc Utiii ‘■rcmliiK! use" means (vvilli rrsprc'l lo Ihc 
•lisclosurc of a record) the use of such a retxut.l for <i purpose lluil is compalible wilh llic 
purpose for which it was coDected. 5U.S.C. § -!®2a(a)(7). 

Congress used (lie conuuiUec’s final repfrrt as a b<isis for erailii^' (tic Privacy Acl of 1971. 
SccU.S. Department of Health, Education, and Vfclfaiv, Records, Co7iip7iters tiHrf the 
ItU/fUs of CUiseits: Repotl of the SeereUtry’s Advisory Com-millce on Aaloiiuticd Personal 
Data Systevis (Washington, D.C.: Jufe- 1973). 




GAO-O(i-777T 



39 


system. More specifically, according to Office of Management and 
Budget (0MB) guidance," a PIA is an analysis of how information is 
heindled. Specifically, a PIA is to (1) ensure that handling conforms 
to applicable legal, regulatory, and policy requirements regarding 
privacy; (2) determine the risks and effects of collecting, 
maintaining, and disseminating information in identifiable fonu in 
an electronic information system; and (3) examine and evaluate 
protections and alternative processes for handling information to 
mitigate potential privacy risks. 

Agencies must conduct PIAs (1) before developing or procuring 
information technology that collects, maintains, or disseminates 
information that is in a personally identifiable form; or (2) before 
initiating any new data collections involving personal information 
that will be collected, maintained, or disseminated using 
infonnation technology if the same questions are asked of 10 or 
more people. To the extent that PIAs are made publicly available,' 
they provide explanations to the public about such things as the 
infonnation that will be coUected, why it is being collected, how it is 
to be used, and how the system and data wiU be maintained and 
protected. 

FISMA also addresses the protection of personal information. 

FISMA defines federal requirements for securing information and 
infonnation systems that support federal agency operations and 
assets; it requires agencies to develop agencywide information 
security programs that extend to contractors and other pro\iders of 
federal data and systems." Under FISMA, information security 
means protecting information and information systems from 
unauthorized access, use, disclosure, disruption, modification, or 
destruction, including controls necessary to preserv'e authorized 


()rfi<‘e ofMana^entenl uiid Budge(, OMH tividanm Jor lTriplt'mtinlin;i Ui.<; Priv<i/y 
Fmoimoivi of Uie hJ-(Joveritnienl Aal oJ'2(K)^, M-(Kr22 2fi, 2()i);5). 

’ Tlic E-Govcmiiiciil Acl rc(iiiir«} agciieics, if practiciible, Lo ituikc privacy impact 
assessments publicly a%’ailable fluoi^ i^ency Web sites, T'ublic atioii m the Federal 
Register, or by ot.h«- mejuis. l*ub. L. 107-;i47, § 20H(b){l)(H){iii). 

'nsaL\,™cni,E-GovcTnitKattActof2002, Pub. L. 107 :317 CDcc. 17,2002). 




GAO-O(i-777T 



40 


restrictions on access and disclosure to protect personal privacy, 
among other things. 

0MB is tasked with providing guidance to agencies on how to 
implement the provisions of the Privacy Act and the E-Goveniment 
Act and has done so, beginning with guidance on the Privacy Act, 
issued in 1975.* The guidance provides explanations for the various 
provisions of the law as well as detailed instructions for how to 
comply. OMB’s guidance on implementing the privacy provisions of 
the E-Govemment Act of 2002 identifies circumstances under which 
agencies must conduct PIAs and explains how to conduct them. 
0MB has also issued guidance on implementing the provisions of 
FISMA. 


Privacy Officers Have Gained Prominence at Several Federal 
Agencies 

While many agencies have had officials designated as focal points 
for privacy-related matters for some time, these positions have 
recently gained greater prominence, at a luunber of agencies. A long- 
standing requirement has been in place for agency cliief information 
officers to be responsible for implementing and enforcing privacy 
policies, procedures, standar^te, and guidelines, and for compliance 
with the Privacy Act.“ In 2004, we reported that of the 27 major 
agency cliief information officers, 17 were responsible for privacy 
and 10 were not. In those 10 agencies, privacy was most often the 
responsibility of the Office of General Counsel and/or various 


OMIl. “PrivHiify Acl. Iinplcmcri(.alion: (iuidcliiK» and R(!,sj)C)nsd)ililics. Riyi.sler. 

Voliuue 40, Nunibcr 132, Part m, pp. 289-18-2a97y fWiisliiiiglon. D.L:.: .Julv 9. 197.5)' Since 
Ihr. initial Privm^r Acl. guidance of l!)75, OMU pcTiodica.Ilv has pul)lishixl aildil.ional 
guidance. FurUierinfontialion regarding OMB Pnvacy Acl giudiuice c<ui be ioimd on llic 
OMBWebsite atbrtf>:.'/5vww.wiiTt<-iioii9e.govi'oiubdi'X. f Sdml 

‘'TlicPsipcrworkKcducUonAeltPub. L. 96-511), as mut ndt d (II d S f r)(i(.(aj(2) mid (3) 
and 41 U.S.C. 3606Cg)). 




GAO-O(i-777T 




41 


offices focusing on compliance with the Freedom of Information Act 
and the Ihrivacy Act.'° 

Steps have been taken recently to highlight the importance of 
privacy officers in federal agencies. For example, the 
Transportation, Treasury, Independent Agencies, and General 
Govemnient Appropriations Act of 2005“ required each agency 
covered by the act to have a chief privacy officer responsible for, 
among other things, “assuring that the use of technologies sustain, 
and do not erode, privacy protections relating to the use, collection, 
and disclosure of information in identifiable form.” Subsequently, in 
February 2005, 0MB issued a memorandum'" to federal agencies 
requiring them to designate a senior official with overall agencywide 
responsibility for infonnation privacy issues. Tliis senior official was 
to have overall responsibility and accountability for ensuring the 
agency’s implementation of infonnation privacy protections and 
play a central policy-making role in the agency’s development and 
evaluation of policy proposals relating to the agency’s collection, 
use, sharing, and disclosure of personal information. 

Prior to the 0MB guidance, several agencies had already designated 
privacy officials at higher levels. The Internal Revenue Service had 
been one of the first, establishing its privacy advocate in 1993. In 
2001, the Postal Service established a Cliief Privacy Officer. More 
recently, as you know, Section 222 of the Homeland Security Act of 
2002 had created the first statutorily required senior privacy official 
at any federal agency.'” This law mandated the appointment of a 
senior official at DHS to assume primary responsibility for privacy 
policy, inchiding, among other things, assuring that the use of 
technologies sustains, and does not erode, privacy protections 


'“ GAO, Federal Chief Information Officers: RespomibilUies, Reporting Relationships, 
Tenmv., and OtaUenges, (WasliiiigtAin, .Inly 2) , 2(K)4). 

'Ilie TRiiistK>r1^lion, Treasury, liKlepeiKleiil Ageiides, and Germral (ioveriuiieiil 
A]>j)n>j>rial.ioiis A»;l of 2005, StHr. 552, Division I!, Consol idriled Approprialions Ad of 2005 
(Pub. L 108-117; 118Stat3268;5U.S.C. 6-52anoto). 

Desiynaliim of Senior Agency Ofjlciais for Fiiviicij, Mc'tnorandiitii M-05-08 (l'(d). 

11, 2oa^. 

Homeland Security Act of 2002, Pub. L. 107-296, § 222, 116 Stat. 2155. 




GAO-O(i-777T 



42 


relating to the use, collection, and disclosure of personal 
information. Since being established, the DHS Privacy Office 
created a Data Privacy and Integrity Advisory Committee, made up 
of experts from the private and non-profit sectors and the academic 
contmunity, to advise it on issues within DHS that affect individual 
privacy, as weU as data integrity, interoperability, and other privacy- 
related issues. 

Through the Intelligence Reform Act in 2004, Congress expressed 
more broadly the sense that agencies with law enforcement or anti- 
terrorisin functions should have a privacy and civil liberties officer 
In keeping with that. Justice recently announced the appointment of 
a Chief Privacy and Civil Liberties Officer responsible for reviewing 
and overseeing the department’s privacy operations and complying 
with privacy laws. Justice has also announced plans to establish an 
internal Privacy and Civil Liberties Board made up of senior Justice 
officials to assist in ensuring that the department’s activities are 
carried out in a way that fully protects the privacy and civil liberties 
of Americans. 


Agency Privacy Officers Face a Number of Challenges 

The elevation of privacy officers at federal agencies reflects the 
growing demands that these individuals face in addressing privacy 
challenges on a day-to-day basis. Among these challenges, several 
that are prominent include (1) complying with the Privacy Act and 
the E-Govemment Act of 2002, (2) ensuring that data mining efforts 
do not compromise privacy protections, (3) controlling the 
collection and use of personal infonnation obtained from 
commercial sources, and (4) addressing concerns about radio 
frequency identification technology. 


P.L 108-1-58, sec. 1062 CDec. 17, 2001). 


Page 8 


GAO-O(i-777T 




43 


Con\plying with the Privacy Act aiid the E-Governmeiit Act of 2002 

Although it has been on the bool« for more than 30 years, the 
Privacy Act of 1974 continues to pose challenges for federal 
agencies. In 2003, we reported^'' that agencies generally did weU with 
certain aspects of the Privacy Act’s requirements — such as issuing 
system-of-records notices when required — but did less well at other 
requirements, such as ensuring that information is complete, 
accurate, relevant, and timely before it is disclosed to a nonfederal 
organization. In discussing this uneven compliance, agency officials 
reported the need for additional 0MB leadership and guidance to 
assist in difficult implementation issues in a rapidly changing 
environment. For example, officials had questions about the act’s 
applicability to electronic records. Additional issues included the 
low agency priority given to implementing the act and insufficient 
employee training on the act. 

These are all issues that chief privacy officers could be in a position 
to address. For example, working in concert with officials from 
0MB and other agencies, they are in a position to identify 
ambiguities in guidance and provide clarifications about the 
applicability of the Privacy Act. Further, the establishment of a chief 
privacy officer position and its relative seniority within an agency’s 
organizational structure could indicate tliat an agency places 
priority on implementing the act. Finally, a cliief privacy officer 
could also serve as a champion for privacy awareness and education 
across an agency. 

The E-Govemment Act’s requirement that agencies conduct PIAs is 
relatively recent, and we have not yet made a comprehensive 
assessment of agencies’ implementation of this important provision. 
However, oim previous work has highlighted challenges with respect 
to conduct of these assessments for certain applications. For 
example, in our work on federal agency use of information 
resellers,"’' we found that few agency components reported 


(lAO, Piivacy Ack OMIi Ijeademkip Needed U> Impiynx: A<jeni ii (kunplmure. AO i'3- 
:30-l (Washir^{U)Il, D.C.; Jiuic 30, 2003). 

121,p..5a«l. 


Page 9 


GAO-O(i-777T 



44 


developing PIAs for their systems or programs that make use of 
information reseller data. These agencies often did not conduct PIAs 
because officdeds did not believe they were required. Current 0MB 
guidance on conducting PIAs is not always clear about when they 
should be conducted. We concluded that until PIAs are conducted 
more thoroughly and consistently, the public is likely to remain 
incompletely informed about the purposes and uses for the 
information agencies obtain from resellers. We recommended that 
0MB re\dse its guidance to clarify the applicability of the E-Gov 
Act’s PIA requirement (as well as Privacy Act requirements) to the 
use of personal information from resellers. 

Compliance with OMB’s PIA guidance was also an issue in oiu: 
review of selected data inining efforts at federal agencies.^^ In that 
review, although three of the five data mining efforts we assessed 
had conducted PIAs, none of these assessments fuUy complied with 
0MB guidance. Complete assessments are an important tool for 
agencies to identify areas of noncompliance with federal privacy 
laws, evaluate risks arising from electronic collection and 
maintenance of information about individuals, and evaluate 
protections or alternative processes needed to mitigate the risks 
identified. Agencies that do not take all the steps required to protect 
the privacy of personal information limit the ability of individuals to 
participate in decisions that affect them, as required by law, and risk 
the improper exposure or alteration of personal information. We 
recommended that the agencies responsible for the data mining 
efforts complete or revise PIAs as needed and make them available 
to the public. 

The DHS Privacy Office recently issued detailed guidance on 
conducting PIAs'" that may be helpful to departmental components 
as they develop and implement systems that involved personal 
infonnation. The guidance notes tliat PIAs can be one of the most 


' (lAO, IhiUi Mining: Agenciex llarye Taken Key Steps lt> Fivlrcl. hTi.vnnj i u Sfifcled 
Efforts, but SignifieanI Compliance Issues Eeiruiin, (WiusliiiigLoii, D.C.: Aiig. 

1.5, 200.5). 

Dcpartniciil of lloiiielaiid Scciirily Privacy Office, fiiiwy hii'paclAsscssmeiils: Official- 
Guidance (March 2(X)6). 


Page 10 


GAO-O(i-777T 



45 


important instruments in establishing trust between the department 
and the public. As agencies develop or make changes to existing 
systems that collect personally identifiable information, it will 
continue to be critical for privacy officers to monitor agency 
activities and help ensure that PlAs are properly conducted so that 
their benefits can be realized. 


Ensuring that Data Mining Efforts Do Not Compromise Privacy Protections 

Many concents have been raised about the potential for data mining 
programs at federal agencies to compromise personal privacy. In 
our May 2004'" report on federal data mining efforts, we defined data 
mining as the application of database technology and techniques — 
such as statistical analysis and modeling — to uncover hidden 
patterns and subtle relationsltips in data and to infer rules that allow 
for the prediction of future results. We based tliis definition on the 
most commonly used terms found in a survey of the technical 
Uterature. As we noted in our report, mining government and private 
databases containing personal information raises a range of privacy 
concems- 

In the government, data mining was initially used to detect financial 
fraud and abuse. However, its use has greatly expanded. Among 
other purposes, data minir^ has been used increasingly as a tool to 
help detec-t terrorist tlureats through the collection and analysis of 
public and private sector data. Through data mining, agencies can 
quickly and efficiently obtain infonnation on individuals or groups 
by exploiting large databases containing personal information 
aggregated from public and private records. Information can be 
developed about a specific individual or a group of indhiduals 
whose behavior or characteristics fit a specific pattern. The ease 
with which organizations can use automated systems to gather and 
analyze large amounts of previously isolated information raises 
concerns about the impact on personal privacy. Before data 
aggregation and data mining came into use, personal information 
contained in paper records stored at widely dispersed locations, 


QAO,DuJa- Mining: Fedet'alEJJoi'is Cocera Wi<tp Run<iv oj Uses, CAO-01 
( Washft^on, D.C.: May 1, 2001). 




GAO-O(i-777T 



46 


such as courthouses or other government offices, was relatively 
difficult to gather and analyze. 

In August 2005, we reported on five different data mining efforts at 
selected federal agencies, noting that although the agencies 
responsible for these data mining efforts took many of the steps 
needed to protect the privacy and security of personal infonnation 
used in the efforts, none followed all key procedures.^" Most of the 
agencies provided a general public notice about the collection and 
\ise of the personal information used in their data mining efforts. 
However, fewer followed other required steps, such as notifying 
individuals about the intended uses of their personal infonnation 
when it was collected or ensiuing the security and accuracy of the 
infonnation used in their data ntining efforts. In addition, as I 
previously mentioned, although three of the five agencies completed 
privacy impact assessments of their data mining efforts, none fully 
complied with OMB guidance. We made recommendations to the 
agencies responsible for the five data mining efforts to ensure that 
their efforts included adequate privacy and security protections. 

In March 2004, an advisory committee chartered by the Department 
of Defense issued a comprehensive report on privacy concerns 
regarding data mining in the fight against terrorism.-^ The report 
made numerous recommendations to better ensure that privacy 
requirements are clear and stressed that proper oversight be in 
place when agencies engs^e in data mining that could include 
personal information. Agency privacy offices can provide a degree 
of internal oversight to help ensure that privacy is fully addressed in 
agency data mining activities. 


Controlling the Collection and Use of Personal Information Obtained from Commercial 
Sources 

Recent security breaches at large infonnation resellers, such as 
ChoicePoint and LexisNexis, have highlighted the extent to wliich 


-“GAO-ftvSdG. 

■^Tccluwlogy arid Privai'Y Advisory Coriuiiitlce, Sal'egu<n-(iiriy Frimcy in- Ifie 
Against Terrorism (^'^adin^on, D.C.: fctar. 1, 2001). 




GAO-O(i-777T 



47 


such compsuciies collect, and disseminate personal information. 
Information resellers are companies that collect information, 
including personal information about consiuners, from a wide 
variety of sources for the purpose of reselling such information to 
their customers, which include both private-sector businesses and 
government agencies. Before advanced computerized techniques 
made aggregating and disseminating such information relatively 
easy, much personal information was less accessible, being stored in 
paper-based public records at courthouses and other government 
offices or in the files of nonpublic businesses. However, information 
resellers have now amassed extensive amounts of personal 
information about large numbei^ of Americans, and federal agencies 
access tius information for a variety of reasons. 

A in^or task confronting federal agencies, especially those engaged 
in antiterrorism tasks, has been to etisure that infomtation obtained 
from resellers is being appropriately used and protected. To this 
end, in September 2005, the DHS Privacy Office held a public 
workshop to examine the policy, legal, and technology issues 
associated with the government’s use of reseller data for homeland 
security. Participants provided suggestions on how the government 
can ensure that privacy is protected while enabling the agencies to 
analyze reseller data. 

We recently testified before this subconunittee on critical issues 
surrounding the federal government’s acquisition and use of 
personal information from information resellers.^ In our re\dew of 
the acquisition of personal information from resellers by DHS, 
Justice, the Department of State, and the Social Security 
Administration, agency practices for handling this infonnation did 
not always reflect the Fair Information Practices. For example, 
although agencies issued pubhc notices on information collections, 
these did not always notify the public that information resellers 
were among the sources to be used, a practice inconsistent with the 
principle that individuals shoidd be infonned about privacy policies 
and the collection of infonnation. And again, a contributing factor 


GAO, Personal Injormaiwit: Ageiicies and Pesellers Vary in Proindiny Pixilecl'ioiis. 
C!A04)fi^X’T (Wadnr^on, D.C.; Apr. -1, 2006)- 


I’age 1-3 


GAO-O(i-777T 



48 


was ambiguities in guidance from 0MB regarding the applicability of 
privacy requirements in this situation. As 1 mentioned pre\T.ously, we 
recommended that 0MB revise its guidance to clarify the 
applicability of governing laws — both the Privacy Act and the E-Gov 
Act — to the use of personal information from resellers. 

In July 2006, we reported on shortcomings at DHS's Transportation 
Security Administration (TSA) in connection with its test of the use 
of reseller data for the Secure Flight airline passenger screening 
program.^ TSA did not fully disclose to the public its use of personal 
information in its fall 2004 privacy notices, as required by the 
Privacy Act. In particular, the public was not made fully aware of, 
nor had the opportunity to comment on, TSA’s use of personal 
infonnation drawn from commercial sources to test aspects of the 
Secure Flight program. In September 2004 and November 2004, TSA 
issued privacy notices in the Fecf^ml Reffisler that included 
descriptions of how such information would be used. However, 
these notices did not fully inform the public before testing began 
about the procediues that TSA and its contractors would foUow for 
collecting, using, and storing commercial data. In addition, the 
scope of the data used during commercial data testing was not fully 
disclosed in the notices. Specifically, a TSA contractor, acting on 
behalf of the agency, collected more than 100 million commercial 
data records containing personal information such as name, date of 
birth, and telephone number without informing the public. As a 
result of TSA’s actions, the public did not receive the full 
protections of the Privacy Act. In its comments on our findings, DHS 
stated that it recognized the merits of the issues we raised, and that 
TSA acted immediately to address them. 

In our report on information resellers, we recommended that the 
Director, OMB, revise privacy guidance to clarify the applicability of 
requirements for public notices and privacy impact assessments to 
agency use of personal information from resellers and direct 


GAO, AiTMlivn Security: TixmsporltiJimi Security Ailnuiviali-tUiwt Bid Aol I'uUy 
Disdose Uses of Persorud Information duritiy Secure Flight Pivymm Testing in Initial- 
Privacy Notices, but Has PecenU-y Taken Steps to Mote Ftdly Inform Ike Public, G V t-Oo- 
SfiiR (Wadiii^on, D.C.; July 22, 2006). 


Page 14 


GAO-O(i-777T 



49 


agencies to review their uses of such information to ensure it is 
explicitly referenced in privacy notices and assessments. Further, 
we recommended that agencies develop specific policies for the use 
of personal information from resellers. Until privacy requirements 
are better defined and broadly understood, agency privacy officers 
are likely to continue to face cliallenges in helping ensure that their 
agencies are providing appropriate privacy protections. 


Addressing Concerns about Radio Frequency Identification Technology 

Specific issues about the design and content of identity cards also 
raise broader privacy concerns associated with the adoption of new 
technologies such as radio frequency identification (RFID). RFID is 
an automated data-capture technology that can be used to 
electronically identity, track, and store infonnation contained on a 
tag. The tag can be attached to or embedded in the object to be 
identified, such as a product, case, or pallet. RFID technology 
provides identification and tracking capabilities by using wireless 
communication to transmit data. In May 2005, we reported that 
major initiatives at federal agencies that use or propose to use the 
technology included physical access controls and Tracking assets, 
documents, or materials. ^ For example, DHS was using RFID to 
track and identify assets, weapons, and baggage on flights. The 
Department of Defense was ako using it to track shipments. 

In our May 2005 report we identified several privacy issues related 
to both commercial and federal use of RFID technology. Among 
these privacy issues are notifying indiriduals of the existence or use 
of the technology; tracking an individual’s movements; profiling an 
individual’s habits, tastes, or predilections; and allowing for 
secondary uses of information.''^ The extent and nature of the 
privacy issues depends on the specific proposed use. For example, 
using the technology for generic inventory control would not likely 
generate substmitial privacy concerns. However, the use of RFIDs 


GAO, Informaiion Securily: Radio Ftvqueitcy [(k'uHj'ical ion Tpchiwloyy in Ihe Federal 
Govemnient, GAO-CfS-SSl (^'^ashingtori, D.C.: May 27, 2005). 

For iiiToriiialion oil Lhc praclic’cs and looJs lo iniligale Ihcsc privacv issues, sec '.'lAO-'Oa 
.5-51, pp. 22-21. 




GAO-O(i-777T 



50 


by the federal government to track the movement of indi\'iduals 
traveling within the United States could generate concern by the 
affected peirties. 

A number of ^edfic privacy issues can arise from RFID use. For 
exsmiple, individuals may not be aware that the technology is being 
used mid that it could be embedded in items they are carrying and 
thus used to track them. Three agencies indicated to us that 
employing the technology would allow for the tracking of 
employees’ movements. Tracking is real-time or near-real-time 
surveillance in which a person's movements are followed through 
RFID scanning. Media reports have described concerns about ways 
in which anonymity is likely to be undermined by surveillance. 
Further, public surveys liave identified a distinct unease with the 
potential ability of the federal government to monitor individuals’ 
movements and transactions.^’' Like tracking, profiling — the 
reconstruction of a person’s movements or transactions over a 
specific period of time, usually to ascertain something about the 
individual’s habits, tastes, or predilections — could also be 
undertaken through the use of RFID technology. Because tags can 
contain unique identifiers, once a tagged item is associated with a 
particular individual, personally identifiable information can be 
obtained and then aggregated to develop a profile of the individual. 
Both tracking and profiling can compromise an individual’s privacy 
and anonymity. 

Concerns also have been raised that organizations could dev^elop 
secondary uses for the information gleaned through RFID 
technology; this has been referred to as “mission-” or “function- 
creep.” Tlie Mstory of the Social Security niunber, for example, gives 
ample evidence of how an identifier developed for one specific use 
has become a mainstay of identification for many other purposes, 
govenimental and nongovenunental.-’ Secondary uses of the Social 


GAO, TecJtnvlvgy Assessjiunil: Usiity Biorrtelrics Jbr Doi'der Secarily, 'LVi.) O'i ].7 j 
(Wa^ift^on, D.C.: Nov. 1-5, 2002). 

■' GAO, Social Securily NuinlMrrs: Go'oernntenJ lieii-efilajrom .S'.SW Use bul Could Frovide 
Better Safeffuards, G.\O 02 ?U)2 (Washington, U.C.; Ma,v31, 2002). 


Page 16 


GAO-06-777T 



51 


Security number have been a matter not of technical controls but 
rather of changing policy and administrative priorities. 

As agencies take advantage of the benefits of RFID technology and 
implement it more widely, it will be critical for privacy officers to 
help ensure that a full consideration is made of potential privacy 
issues, both short-term and long-term, as the technology is 
implemented. 


In summary, privacy officers at federal agencies face a range of 
challenges in working to ensure that individual privacy is protected, 
and today I have discussed several of them. It is clear that advances 
in technology can present both opportunities for greater agency 
efficiency and effectiveness as well as the danger, if unaddressed, of 
eroding important privacy protections. Technological advances also 
mean there is a need to keep goverrunenfwide privacy guidance up- 
to-date, and agency privacy officers will depend on 0MB for 
leadership in this area. Even without a consideration of 
technological evolution, privacy officers need to be vigilant to 
ensure that agency officials are continually mindful of their privacy 
responsibilities. Fortunately, tools are available — including the 
requirements for PIAs and Privacy Act public notices — that can help 
ensure that the right operational decisions are made about the 
acquisition, use, and storage of personal information. By using these 
tools effectively, agencies have the opportunity to gain greater 
public confidence that their actiora are in the best interests of all 
Americans. 

Mr. Chainnan, tliis concludes my testimony today. I woidd happy to 
answer any questions you or other members of the subcommittee 
may have. 


Contacts and Acknowledgements 

If you have any questions concerning this testimony, please contact 
Linda Koontz, Director, Information Management, at (202) 512-6240, 
or koontzlvS’gao.gov. Other indivdduals who made key contributions 




GAO-O(i-777T 




52 


include Barb£u:a Collier, John de Ferrari, David Plocher, and Jamie 
Pressman. 


Page 18 


GAO-O(i-777T 



53 


Attachment I: Selected GAO Products Related to Privacy Issues 

Peifional In/ormnUon: Agenoi^s and ReselUns Vary in Providing 
Pnvfuy)/ Profections. GAO-OO-GOOT. Washington, D.C.: April 4, 2006. 

Peiiioiial Jn/oimalion:Agmay and. Ri’seller Ad,}mrence I/) Key 
Privacy PrincijA^is. GAO-i')6Mt2 1. Washington, D.C.: April 4, 2006. 

Data Mining: Agcmdns Have Taken Key Stepn to Protect Privacy in 
Selected Kfforte, hut Signifimnt Compliance lumies Remain. G A(0- 
0?-S(>6. Washington, D.C.: August 15, 2005. 

Aviation Secnrily: TranfifmUitUm SecuHLy Adininisimfion Did 
Not Fully Diselofie U.-ies ofPevfiamtl luf&rniaLion during Secure 
Flight JTogravi Testing in In itial Privacy Notices, but Has 
Recently Taken Steps to More Fully Inform, the Public. GAO 05 
Washington, D.C.: July 22, 2005. 

RUmtity Theft: Some Outreach Efforts to Promote Awareness of 
New Consumer Rights are Under Way. GAO-()5-7iO. Washington, 
D.C.: June 30, 2005. 


Informalian Security: Radio t're.quonmj MenlificaMon Technology 
in Hie Federal Government GAO 05 551. Washington, D.C.: May 27, 
2005. 

Aviation Security: Secure Flight Development and Testing Under 
Way, but Risks Should fie Managed as System is Farther 
Developed. GAO-05-356. Washington, D.C.: March 28, 2005. 


Electronic GovemmenL Fedetal Agencies Hove. Made. Progre.ss 
Implementing the E-Govermnenl Act. of 2002. GaO-05- 1 2. 
Washington, D.C.: December 10, 2004. 

Social Security Numbers: Governments Could Do More to Reduce 
Display in Ihiblic Records arui <m Identity Cards. GAO 05 5P. 
Washington, D.C.: November 9, 2004. 


Page 19 


GAO-O(i-777T 




54 


Federal (Ih.ief Infonnatioti OJfir.ers: Resjwnsibilifies, Reporting 
RelaUoitshvps, Tenure, and, (Ih/tUenges, <i A€s-01 -823. Washington, 
D.C.: July 21, 2004. 


/)ala Mining: Fedeml Rffirris Cover o Wide Range of Uses, GAO C4- 
f>iB. Wasltington, D.C.: May 4, 2004. 

Amo Hon Securiiy: Compiifer-Assislevl Passenger Prescreenmg 
Syste-m Faces Signifkmit Implenientation Challenges. GAO'04-38'>. 
Washington, D.C.: February 12, 2004. 

Privacy Act: OMR lAtadership Needed to Improve Agency 
Coynpliance. GAO-0-3-304. Washington, D.C.: June 30, 2003. 

Data Mining: Restdis and. ChaUenges for (Tovemrnent Pyxigrmrtis, 
Avdils, and. Inve.sHgaHons. C7AO'OL^593T. Washington, D.C.: March 
26, 2003. 

Technology Assessment: Using Riometricsfor Bonier Security. 
GAO 03-174. Washington, D.C.: November 15, 2002. 

Infortnalion Managemenl: Selected Agencies’ Handling of Persona, I 
Informa lion. GAO-02-10oS. Washington, D.C.: September 30, 2002. 

IdenLUy Theft: (rrealej- Awareness and Use of Existing Data Are- 
Needed. Ga 6-02-766. Washington, D.C.: June 28, 2002. 

Social Security Numbets: (jomnnwmt Benefits from SSN Use but 
Could Provide Bettet' Safeguards. OAO-02352. Washington, D.C.: 
May 31, 2002. 


Page 20 


GAO-O(i-777T 



55 


Attachment 2: The Fair Information Practices 

The Fair Infoniaation Practices are not precise legal requirements. 
Rather, they provide a framework of principles for balancing the 
need for privacy with other public policy interests, such as national 
security, law enforcement, and administrative efficiency. Ways to 
strike that balance vary among countries and according to the type 
of information under consideration. The version of the Fair 
Information Practices shown in table 1 was issued by the 
Organization for Economic Cooperation and Development (OECD) 
in 1980-' and has been widely adopted. 


Table 1; The Fair Information Practices 

Principle 

Description 

Collection limilalion 

The collection of personal information should be limited, should 
be obtained by lawful and fair means, and. where appropriate, 
with the knowledge or consent of the individual. 

Data quality 

Personal information should be relevant to the purpose for 
which it is collected, and should be accurate, complete, and 
current as needed for that purpose. 

Purpose speciiication 

The purposes for the collection of personal information should 
be disclosed before collection and upon any change to that 
purpose, and its use should be limited to those purposes and 
compatible purposes. 

Use limitation 

Personal information should not be disclosed or otherwise used 
lor other than a specified purpose without consent of the 
individual or legal authority. 

Security safeguards 

Personal information should be protected with reasonable 
security safeguards against risks such as loss or unauthorized 
access, destruction, use, modification, or disclosure. 

Openness 

The public should be informed about privacy policies and 
practices, and individuals should have ready means of learning 
about the use of personal information. 


OECD, Guiddines on 

t Ute Prolectioii- oj'l‘iioac:y ami Trunsbordtn' llow oJ Fersoiial DcUa 


(Sept. 23, 1980). The OECD pl^’sapruiHinciit role ill fostciiiy? gccd governance lii the 
piihlie service and in eorpoiale acLivity among ils 30 iiiejiibcr couiiUies. II pruduces 
inlJimatioiiaUy agreed-upon instruments, decisions, and ix cominendatlons to promote ndes 
in arcsis wlierc iiuilLilaleral agreenienl is iieeesssiry for individual countries (o iiudce 
progress in the ^obal cconon^. 




GAO-O(i-777T 









56 


Principle 

Description 

Individual participation 

Individuals should have the following rights: to know about the 
collection of personal information, to access that information, to 
request correction, and to challenge the denial of those rights. 

Accountability 

Individuals controlling the collection or use ot personal 
information should be accountable for taking steps to ensure the 
implementation of these principles. 

Source. Oi^ai^izaliorr tor Ecorromic C) 

^operation and Devalopmanl 


(3107l>3) 


Page. 22 


GAO-O(i-777T 



57 


This is a work ot the U.S. government and is not subject to copyright protection in the 
United States. It may be reproduced and distributed in its entirety without further 
permission from GAO. However, because this work may contain copyrighted images or 
other material, permission from the copyright holder may be necessary if you wish to 
reproduce this material separately. 




58 



GAO’s Mission 

” The Gov'emment Accofontability Office, the audit, evaluation and 

investigative ami of Congress, exists to support Congress in meeting its 
constitutional responsibilities and to help improve the perfonnance and 
accountability of the federal government for the American people. GAO 
examines the use of public funds; evaluates federal programs and policies; 
and provides analyses, recommendations, and other assistance to help 
Congress make informed oversight, policy, and funding decisions. GAO’s 
commitment to good government Is reflected in its core values of 
accountability, integrity, and reliability. 

Obtaining Copies of 
GAO Reports and 
Testimony 

The fastest and easiest way to obtain copies of GAO documents at no cost 
is through GAO's Web site (www.gao.gov). Each weekday, GAO posts 
newly released reports, testimony, and coirespondence on its Web site. To 
have GAO e-mail you a list of newly posted products every afternoon, go 
to wvvw.gao.gov and select “Subscribe to Updates,” 

Order by Mail or Phone 

The first copy of each printed report is free, Additional copies are $2 each, 

A check or money order should be made out to the Superintendent of 
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. Orders 
should be sent to: 


U.S. Government Accountability Office 

441 G Street NW, Room LM 

Washington, D.C. 20548 


To order by Phone: Voice: (202) 512-6000 

TDD: (202) 512-2537 

Fax; (202)512-6061 

To Report Fraud, 
Waste, and Abuse in 
Federal Programs 

Contact: 

Web site: ■'A’ww.gao.gov/fraudtiet/t'niudnet.ritm 

E-mail: fraudnetv^gao.gov 

Automated answering ^tem: (800) 424-5454 or (202) 512-7470 

Congressional 

Relations 

Gloria Jarmon, Managing Director, JaiTnonO(#ga<).gov (202) 512-4400 

U.S. Government Accountability Office, 441 G Street NW, Room 7125 
Washington, D.C. 20548 

Public Affairs 

Paul Anderson, Managing Director, AndersonPKp'gao.gov (202) 512-4800 
U.S. Government Accountability Office, 441 G Street NW, Room 7149 
Washington, D.C. 20548 


PRINTED ON RECYCLED PAPER 



59 


Mr. Cannon. Thank you, Ms. Koontz. 

I just need to point out that we just had a panel of four partici- 
pants who all finished within seconds of the 5 minutes. I have 
never seen that before in my life. Obviously, we have some well- 
experienced panelists. 

We have a significant problem here. We are going to try and 
mark this bill up today, and we have six votes probably between 
2:45 and 3:15. And so — yeah, we’ll have six votes, so that means 
that — let me just suggest that I’m not going to ask questions, and 
all the Members of the panel can ask written questions. 

Professor, I suspect you have your comments already written, 
and if you could submit those. You suggested you had more that 
you wanted to say. Do you have that in written form already? 

Ms. Katzen. Yes, Mr. Chairman. My written testimony includes 
two modest suggestions, one of which relates to the national secu- 
rity issue, and I think it is important. 

Mr. Cannon. Thank you. And if any of the panelists have other 
things you would like to make part of the record, we’ll leave the 
record open for 5 days. 

So I ask unanimous consent that the Members of the panel — that 
we limit questioning to 3 minutes for the panel. Hearing no objec- 
tion, so ordered. 

Mr. Watt. That is per Member? 

Mr. Cannon. That is per Member, yes. Pardon me. Hearing no 
objection, but with that clarification, so ordered. And we’ll keep the 
legislative record open for 5 days for questions. Without objection, 
so ordered. 

Thank you, and, Mr. Watt, you are recognized for 5 minutes. 

Mr. Watt. For 3 minutes — 3 minutes, I presume. Thank you, sir. 

Since we’re going on to the markup of H.R. 2840 and all of the 
witnesses heard my opening comments, I guess the most appro- 
priate question I could ask in my short period of time is to Ms. 
Cooney and Ms. Horvath, since you all are here representing the 
Administration, or at least your respective Departments. 

Do you have a clue whether the Administration really supports 
and wants this bill? Because they haven’t done anything to try to 
get it passed that I’m aware of on the Senate side, and we’re en- 
gaging in a futile gesture here passing it out of here without the 
Administration injecting itself and saying it wants it. 

So does either of you know whether the Administration really 
wants this bill? 

Ms. Cooney. Mr. Watt, I’d be happy to answer. I don’t know of 
a formal position that the Administration has taken on this bill. 
I’m not aware of one. I think in our last appearance I did mention 
that under section 222 we have very similar requirements at DHS 
to do PIAs on rulemakings, and we’ve been able to tackle that ef- 
fort and can improve on it as we 

Mr. Watt. But this is a systemwide, governmentwide bill, not a 
DHS bill. So I guess the question I’m asking is: Is the Administra- 
tion committed to having this done systemwide, or are they not? If 
you don’t know, I mean, just say you don’t know. 

Ms. Cooney. I know of no formal position on it. 

Mr. Watt. Okay. I assume you don’t know either, Ms. Koontz. 
You’re not here — you’re kind of in a different position with respect 



60 


to the Administration. I understand that. Have you heard anything 
through the grapevine about whether the Administration wants it, 
Professor Katzen? 

Ms. Katzen. No. 

Mr. Watt. Okay. All right. I just keep pointing out that, you 
know, we’ve marked this bill up several times. It’s gone. The Chair- 
man indicated it went out of the House. Without the Administra- 
tion doing something to lift a finger to get it, it ain’t going to hap- 
pen. So we might be back here again next term of Congress doing 
the same thing. 

I yield back. 

Mr. Cannon. Thank you. 

I think Mr. Franks — the gentleman is recognized for 3 minutes. 

Mr. Franks. Mr. Chairman, I have no questions at this time. 

Mr. Cannon. Thank you, Mr. Franks. We appreciate that candor 
and directness, and I think — the gentleman from Massachusetts, 
Mr. Delahunt, is recognized for 3 minutes. 

Mr. Delahunt. Yes, thank you, Mr. Chairman. I’m going to 
make an effort to answer Mr. Watt’s question. I think it’s clear to 
me that the Administration — this is not a priority, I think it’s fair 
to say, for the Administration. Otherwise, this bill would have been 
enacted into law last year. And I think it’s time, particularly given 
the context of recent revelations concerning the NSA in particular 
that the Administration weigh in in a very significant way. If this 
bill is to pass, the Administration has to make it a priority. And 
I don’t think any of us — and I think I speak for all of us on this 
panel right now — have not seen evidence of the Administration 
making it the kind of priority that I think it deserves. 

As my colleagues would remember, myself and Mr. Berman had 
an amendment to the PATRIOT Act involving data mining, and 
there was great resistance from the Department of Justice regard- 
ing that particular amendment, which I believed to be somewhat 
innocuous. Well, now I understand better, after reading the USA 
Today and other revelations that occurred prior to that why there 
would be such resistance. This is simply an opportunity for the 
American people to find out what their Government was doing. 

I have to agree with you. Professor Katzen. You know, when 
there’s a lack of privacy afforded the individual citizen, we’re on 
our way to eroding democracy and living I a totalitarian society. 
It’s absolutely essential that this bill becomes a priority. 

Mr. Cannon. Would the gentleman yield? 

Mr. Delahunt. I yield. 

Mr. Cannon. Because I agree with the gentleman. Let me just 
point out that it is our obligation as the Legislature to set the lim- 
its and set the priorities here, and we have to do that as Repub- 
licans and Democrats and as the House and the Senate. That’s 
sometimes hard. This Administration — no Administration is going 
to focus on these issues like we do because our perspective is dif- 
ferent, and so I pledge to the gentleman that we will 

Mr. Delahunt. I appreciate that, and I would even request — the 
flip side, Mr. Chairman, is the lack of transparency, secrecy, if you 
will, that I would suggest has been an earmark of this Administra- 
tion. We’ve had the National Archivist, Mr. Leonard, complain 
about the ubiquitous classification of public documents that is 



61 


going on. And I would hope that you would consider having a hear- 
ing into that particular issue. I think that is something that is war- 
ranted, particularly given 

Mr. Cannon. I’d be happy to speak with the gentleman, whose 
time has expired. 

May I ask unanimous consent that we not continue with ques- 
tions, since we just had a vote called, and that we move over to 
the markup of this bill? Thank you. 

[Whereupon, at 2:48 p.m., the Subcommittee proceeded to other 
business.] 




APPENDIX 


Material Submitted for the Hearing Record 


( 63 ) 



64 


Response to Post-Hearing Questions from Maureen Cooney, Acting Chief 
Privacy Officer, U.S. Department of Homeland Security, Washington, DC 

Questions tor the Record 

House Judiciary Commercial and Administrative Law Subcommittee 
Privacy in the Hands of the Government; The Privacy Officer for the Department of Homeland Security 

May 17, 2006 

Acting Chief Privacy Officer Maureen Cooney 

Questions from Representative Chris Cannon 

1 . According to your testimony, you have been serving as the Acting Chief Privacy Officer for 
the past eight months. 

• What accounts for the apparent delay in finding a permanent Chief Privacy Officer? 

Response: The Department has made a decision to fill the position. In the interim, the Privacy 
Office and the broader network of component privacy officers and privacy and Freedom of 
Information Act specialists, some 430 strong, have continued conducting business as usual with 
the full support of DHS leadership. 

• When is it likeiy that a permanent replacement will be named to your position? 

Response: The Department made an announcement on July 21, 2006. 

2. Section 222 of the Homeland Security Act of 2002' requires your office to file an annual 
report with Congress. To date, however, it appears that only one report has submitted to 
Congress. Please explain. 

Response: During the transition, I concluded that it might be best to cover as many of our 
activities as possible and to incorporate those that have occurred to date. To do that, we have 
expanded our coverage to encompass the past 24 months of our work. I hope that the final result 
will be worth the wait, as the Privacy Office has undertaken many initiatives to inculcate a 
culture of privacy within the agency and to work with our partners, both at home and abroad, to 
foster the respectful use of personally identifiable information for homeland security purposes. 

We will work to ensure future reports are submitted annually. Separately, we have published a 
quarterly newsletter, Privacy Matters, and distributed it to Congress for current updates on 
Privacy Office and DHS privacy-related activities. 

3. What are the major achievements of the Department of Homeland Security Privacy Office to 
date? 

Response: I highlighted some of these in my testimony before the Subcommittee and they will 
be covered in detail in our annual report, but they include a successful audit of DHS compliance 
with the requirements of the Passenger Name Record Agreement that was negotiated with the 
European Union, several highly successful and well-attended public workshops on current 
privacy issues, active participation in the development of privacy protocols for the Information 
Sharing Environment, collaboration within DHS to help build privacy into our programs, such as 
Secure Flight and other screening efforts, outreach to international partners through participation 
in working groups and assistance in developing appropriate international infonnation sharing 


' Pub. L. No, 107-296, § 222, 1 16 Stat. 2135, 2155 (2002). 

Unless Otherwise stated, all responses are current as of the date of the hearing. Page 1 of 4 



65 


Questions for the Record 

House Judiciary Commerciai and Administrative Lav; Subcommittee 
Privacy in the Hands ot the Government: The Privacy Officer for the Department of Homeland Security 

May 17, 2006 

Acting Chief Privacy Officer Maureen Cooney 

agreements, establishment and administrative participation in the work of the Data Privacy and 
Integrity Advisory Committee, which advises our office and the Secretary on privacy issues, and 
analysis and reporting on data mining projects, the MATRIX Program, and the privacy and civil 
liberties implications of the "No-Fly" lists. 

4. Does your office have sufficient funding and workforce resources? 

Response: It takes a significant amount of resources to conduct any successful privacy program, 
and the Privacy Office has fully utilized its funding and workforce resources. Additionally, we 
have leveraged DHS resources and partnerships throughout the Department’s components to 
ensure privacy policies and procedures are incorporated into DHS programs and systems. 

• Are all positions filled? 

Response: We have interviewed for the four new positions created as a result of the 2006 
appropriations. Three of the positions are filled - a Senior Advisor for Privacy Technology, a 
job-share between two individuals who will be International Privacy Specialists, and a Privacy 
Compliance Specialist with an emphasis on Privacy Impact Assessment coordination. We have 
a current offer outstanding for another Privacy Compliance Specialist whose work will focus on 
privacy audits. 

• How many employees does your office currently have? 

Response: We have 16 FTEs, 12 of which are filled, and 13 contractors. 

5. What are some of the biggest challenges that the Department of Homeland Security Privacy 
Office has encountered? 

Response: Perhaps our biggest challenge is to build a culture of privacy into the entirety of the 
Department; however, I cannot overstate the importance of the oversight function of the Privacy 
Office in ensuring consistent and uniform implementation of privacy policy throughout the 
Department. So, although this may be our biggest challenge it is one that we are working on 
successfully. We believe that the Privacy Office’s standardized operational approach to privacy 
allows the Department to respond to citizens’ concerns about Department activities and creates 
real tangible results in the protection of our citizens’ privacy. 

6. Has your office encountered any lack of cooperation or recalcitrance from other components 
in the Department of Homeland Security? 

Response: The Privacy Office works hard to be a good partner to all DHS programs and 
component offices, to assist our colleagues in building privacy into their initiatives. In general, 
we enjoy good relations across the agency. 


Unless Otherwise stated, all responses are current as ot the date of the hearing. 


Page 2 of 4 



66 


Questions tor the Record 

House Judiciary Commercial and Administrative Law Subcommittee 
Privacy in the Hands of tne Government: The Privacy Officer for the Department of Homeland Security 

May 17, 2006 

Acting Chief Privacy Officer Maureen Cooney 

7. What is your response to those who question your office’s independence? 

Response: The DHS Privacy Office’s status as a direct report to the Secretary permits it to be a 
committed partner but one unafraid to cast a critical eye on initiatives if we believe that further 
steps should be taken to assure that the use of technologies sustain and do not erode privacy 
protections. I believe our published reports demonstrate the success we have had in achieving 
our mission. 

8. How do you respond to those who believe that privacy protections may undermine law 
enforcement and antiterrorism endeavors? 

Response: Privacy and security are not mutually exclusive goals, and the overall message that 
our office works to convey, internally as well as externally, is that we can and must achieve both 
if we arc to preserve our way of life. This is a message that resonates with the Secretary, who has 
said that "we want to build security regimes that maximize privacy protection and that do it in a 
thoughtful and intelligent way," that is reflected in our strategic goals as an agency, and that is at 
the heart of our mission. No less an authority than the National Commission on Terrorists 
Attacks Upon the United States has opined that “the choice between security and liberty is a false 
choice,” and this is a message that must guide all of us as we pursue our homeland security 
mission. 

9. Does the statute that created your position provide sufficient guidance and direction? 

Response: Yes. Our entdrling statute, which includes reporting requirements on privacy 
violations, implementation of the Privacy Act, internal controls and other matters, ensures that 
we have the opportunity to work on the full range of privacy issues at DHS. The office has 
sufficient guidance and direction. 

10. To what extent do you coordinate with privacy officers in other agencies? Are there shared 
problems/solutions? 

Response: Since its inception, our office has been the leader on privacy matters and we 
coordinate with privacy officers in other agencies on a regular basis, through formal meetings, 
our workshops and through individual contacts. Because privacy requirements for federal 
agencies are consistent across agencies, we have been able to share our expertise and insights 
with privacy officers in many other departments, and, in turn, have benefited in our own work 
from their experiences. In particular, I am pleased to have developed a strong working 
relationship with the Privacy and Civil Liberties Offices for the Department of Justice and the 
Director of National Intelligence, along with the White House Privacy and Civil Liberties 
Oversight Board. We plan to work closely together as an executive branch-wide structure to 
ensure that privacy and civil liberties are adequately considered in the design, implementation 
and management of policy and programs. 


Unless Otherwise stated, all responses are current as ol the date of the hearing. 


Page 3 of 4 



67 


Questions for the Record 

Houso Judiciary Commercial and Administrative Law Subcommittee 
Privacy in the Hands of the Government; The Privacy 0«icer for the Department of Homeland Security 

May 17, 2006 

Acting Chief Privacy Officer Maureen Cooney 


Unloss Otherwise stated, all responses are current as of Sie dale of the hearing. 


Page 4 of 4 



68 


Response to Post-Hearing Questions from Sally Katzen, Professor, George 
Mason University Law School, Arlington, VA 


Wiai m the bieg«, cheUeejes lh« fedml ph«,ey offieet, .ddros? 


implications about 
simply administrators 


b^ pnonty proposals. Too often, privacy office^ are se^^rin 

implemeining all agency ^vitiee. *nntageof when eatabliahing and 

not only be re^Sn 

policy debates, bm also there won Id ivir, P” ^acy concerns in national 

President withSrivajSiror herlb'T"' “ ^^^ve Office of the 

federal privacy practices, developing nation^ privacj oversight of 

tnteragency processes where pri4:y is implicfted m of 

niMy privacy issues affect multiple federafamnn •' of Information sharing, 

criticai role in clearance of Executive Joiow; OMB plays a 

regulations, proposed legislS^n etc ® T S&n executive orders, 

would be able to be invoTved in dl of these^mulri 

chief privacy officer within OMB would serve as ^ *^‘^‘“0“’ ® 

wide coordination, expertise and training ^ Soveimnait- 

contact for industry, privacy ’advocates i^aiiooal “ ^enofiable point of 
interested persons. ’ ^^^““onal privacy officers and other 

I n«, thini of ™ ^ ^ 

statuto^rilS'Ss expanding the number of 

(DHS) artd the Department of 

the so-called Chief Financial Officers Act aaencies?”^*"^ Departments - 


is virtually nil, whereas the 



69 


to Ctes™ S.lly K.»=„ by s.i^„to„ 

' '™*'“''““e*«»«to,g«a„fete.,pby„,„aioto.™,dd,tos? 

S.‘SlS'2r^“,^;S“>' "“!» ™ 8tot g.to.8 . to.. „ a. 

and second, being heard (and supportedi wW ti, fonnuiated, 

high priority pro^sals. loo oftSTta implications about 

of the Pn«cy Act and odier perfem 1^ wLeas^^™“ administrators 

within the (MQcfSa^tm^ appointed 

not only be a^offid^ 

policy debates, bm also the^wouJd tw scmMiJ^n concerns m national 

President with “privacy" in his or her tiri^ Executive Office of the 

federal privacy practices, developing nationallri^ be charged with oversight of 
interagency processes where privLy is ^ monitoring of 

manyprivacy issues affect multiple federafa<B.n • °^'“Eonnation sharing, 

critical role in clearance ofS£fSchSs 

regulations, proposed legislation etc - ^7, tv T “ ^ 
would be able to be involved in dl of these 

chief privacy officer within 0MB would serve as f‘?''^bes. In addition, a 

wide coordination, expertise, for government- 

contact for industry, privacy ’advocates iniematiVi ^ identifiable point of 

interested persons. ’ privacy officers and other 

««. of not adopting is vinuatiy nil. whereas toe 

®HS) reto toe DeptmneZoffcSSfto Stotto^ 

toe so^lled Chief Pln«id,| ”*j"iDepanments - 

««.C.«.e.Beto™ento 



70 


Response to Post-Hearing Questions from Linda D. Koontz, Director, Infor- 
mation Management Issues, U.S. Government Accountability Office, Wash- 
ington, DC 


i 

GAO 

AotwrtBbllllv ■ fcitafliltv - Rel iaMllw 

United States Government AccountabUity Office 
Washington, DC 20548 


June 7, 2006 

The Honorable Chris Cannon 

Chaitin™, Subcommittee on Commercial and Administrative Law 
Committee on the Judiciary mauve oaw 

House of Representatives 

Subject: Privacy: 

Officers 


-Subcommittee Questions Concerning Legislatively-Created Privacy 


Dear Mr. Chairman: 

argument in favor of a legislatively-created privacy officer is the 

required senior pnvacy official at any federal agency While we 

Say Agencies . GAO-«I-7y7T, 

’ Homeland Security Act of 2003, Pub. L. 107-296, § 222, 116 Slat. 2166. 



71 


detailed guidance on conducting privacy imn^-t^ti’”™'^^ recently published 

used to draft similar guidance at the^ari^ept ^^ 0 ^’ 

senior officials designed lo already have 

Privacy officerm:;rbeL1^T™r^^^^ 

orrr^"rir“£rrI£r”*3= 

chief privacy officer responsiblc^r^m”'^*^rf ^ agency covered by the act to have a 
technologies susto ^d dZ ' t S^dT that the use of 

coUectio® and dS;2e the use, 

February 200S, OMB issued a memoranda' to^PH^*’'r ” ®“'^‘>'t‘^t'tJy, in 

designate a senior official with overall aepncywid^^*^ agencies requiring them to 

Privacy issues. This seniorX“X™^°’“’‘’*“^/“"‘^“^ 

p=xrpZ^rtrZsdS^ 

evaluation of policy proposals relattne to the ™ ^ agency s development and 

agencies have designated senior niivacv reported that all m^or 

OMB guidance, sev?^ agencies Ld ah^adZesi^ required. In addition, prior to the 
levels Without legislativSremen^^ eXZ f *’'8*'“ 

had been one of the first estabUshlnv nri™ hiternal Revenue Service 

Service established a Chief Privacy OIBcot. ^ ut 1993. In 2001, the Postal 

^ftXr^aucTithltoto^Senu™^^^^^ 

which have already established seninr- nri™ Postal Service, 

agencies are already under legislative rZirem°ZZ offices, and other 

the extent that the Congress Slieves officers. However, to 

emphasis on privacy, leSSiveZsft^toZZ rf 
heighten awareness and attention to theZissues. beneficial to 


StoS™' "■ 3«>«CaX21 and (3) and 4d 

uTc.®6iSJ^™“ 

OMB, Designation of Senior Agency OmdiJs for Privacy, J 


', Memorandum M-OMS (Feb. 11, 200S), 


Page 2 



72 


.'„ ... tsss,::^‘s;ss'” ‘™« « 

th^t their data 

mining efforts do not compromise privacy protections? 

toX“peronX“^^^ 

Act and E-Govemment Act of 2nK> in/-i requirements of the Privacy 

impact assessment (PIA). PIAs are’importMt tooirtZp^m "* ^ Pri'^acy 

consider the privacy impUcations of olannerf i j require an agency to fully 

those systems and collections have been fiiiio ® 'collections before 

easy to make critical at^justments and f2) nro^e br ** ^ '■®^“’'ely 

information about the privacy impacts ofavencv . *« "'“*■« complete 

available. Keeping the public fullv infnrm^^f'^^ activities than would otherwise be 
itifonnation is a key element in 

assessments are anCoi^Jft^ “ol ^ Complete 

With federal privacy laws evaluate risl« aricinT^ >cientify areas of noncompliance 

maintenanceoflnSinloSM^^^ 

processes needed to mitigate the risks identiriLt a protections or alternative 

steps required to proS^pS^f ^ the 

exposure or alterrUon of mfomation risk the improper 

responsible for the data minine effort** ■ the agencies 

needed andmake^ht^maSle^^^^r"'^ 

In addition, agencies can obtain guidance from a March ynna ro., ^ 

c“ee"clSdt^^e^^:„^^ 

rp“ot;“g^tX“rr^^ 

includept.onalm^fotmaZ“~^^^^ 






t Temnism 


Pages 



73 


internal oversight to help ensure that privacy is fully addressed in agency data mining 
activities. 


In preparing this correspondence, we relied on previously issued GAO products, 
testimony of the Department of Justice Chief Privacy and Civil Liberties Officer,’ and 
a May 22, 2006 Office of Management and Budget memorandum concerning agency 
re^onsibiUties for safeguarding personaUy identifiable information. 

Should you or your office have any questions on matters discussed in this letter, 
please contact me at (202) 512-6240, or John de Ferrari, Assistant Director, at (202) 
512-6335. We can also be reached by e-mail at koontzl@gao.gov and 
deferrarij@gao.gov, respectively. 

Sincerely yours, 

Linda D. Koontz 

Director, Information Management Issues 


Page 4 


o 



